On 25/09/18 22:15, Chris Staite wrote:
> Hi,
> 
> I've recently upgraded my router to an alpha firmware that uses DNSmasq 
> v2.79.  I'm having issues with it performing DNSSEC validation that I didn't 
> have with the old version of DNSmasq (which I'm not entirely sure which 
> version it was).
> 
> I've managed to pin down the exact conditions that cause the error.  When I 
> perform DNSSEC validation over IPv6 for a long domain it causes DNSmasq to 
> return SRVFAIL. Specifically, I get the log message "validation 
> 192-168-0-123.0d0f0601f95b420c82cb9dcac0f0a2d5.plex.direct is ABANDONED".
> 
> The full trail of the log is:
> 
> Sep 25 20:40:42 dnsmasq[24782]: query[A] 
> 192-168-0-123.0d0f0601f95b420c82cb9dcac0f0a2d5.plex.direct from 192.168.1.107
> Sep 25 20:40:42 dnsmasq[24782]: forwarded 
> 192-168-0-123.0d0f0601f95b420c82cb9dcac0f0a2d5.plex.direct to 
> 2606:4700:4700::1111
> Sep 25 20:40:42 dnsmasq[24782]: dnssec-query[DS] direct to 
> 2606:4700:4700::1111
> Sep 25 20:40:42 dnsmasq[24782]: dnssec-query[DNSKEY] . to 2606:4700:4700::1111
> Sep 25 20:40:42 dnsmasq[24782]: reply . is DNSKEY keytag 20326, algo 8
> Sep 25 20:40:42 dnsmasq[24782]: reply . is DNSKEY keytag 2134, algo 8
> Sep 25 20:40:42 dnsmasq[24782]: reply . is DNSKEY keytag 41656, algo 8
> Sep 25 20:40:42 dnsmasq[24782]: reply . is DNSKEY keytag 19036, algo 8
> Sep 25 20:40:42 dnsmasq[24782]: reply direct is DS keytag 20629, algo 8, 
> digest 1
> Sep 25 20:40:42 dnsmasq[24782]: reply direct is DS keytag 20629, algo 8, 
> digest 2
> Sep 25 20:40:42 dnsmasq[24782]: dnssec-query[DS] plex.direct to 
> 2606:4700:4700::1111
> Sep 25 20:40:42 dnsmasq[24782]: validation 
> 192-168-0-123.0d0f0601f95b420c82cb9dcac0f0a2d5.plex.direct is ABANDONED
> 
> If the request is performed over UDP it is successful, but the length forces 
> it to fall back to TCP which has this issue.  The only difference between the 
> queries that I can see from the packet captures is that the Transaction ID is 
> 0 for all of the follow-up queries over TCP.  Looking through the source it 
> seems the processing for TCP is completely separate to UDP, so there may be a 
> logic error between them?
> 
> I'm happy to provide any more packet captures or information as required.  I 
> currently don't have a cross-compiling environment set up to build changes 
> for the router binary, but if that would be helpful I could probably make one.
> 

You say "When I perform DNSSEC validation over IPv6" which implies, but
doesn't state, that the same test works when talking to usptream DNS
servers over IPv4? Is that the case? Certainly, a quick test here works
over IPv4. I'm wondering if I need to resurrect my severely bit-rotted
IPv6 tunnel setup?


Cheers,

Simon.


_______________________________________________
Dnsmasq-discuss mailing list
Dnsmasq-discuss@lists.thekelleys.org.uk
http://lists.thekelleys.org.uk/mailman/listinfo/dnsmasq-discuss

Reply via email to