On 22/10/2018 17:56, Craig Andrews wrote:
> I'm unable to look up *.disa.mil when using dnsmasq - I'm hoping that we
> can figure out why that is.
> 
> I have dnsmasq configured to use Cloudflare's 1.1.1.1 as its upstream
> DNS server; dnsmasq is running on 192.168.0.1.
> 
> Here are some a couple tests demonstrating the problem:
> ------
> $ dig disa.mil @192.168.0.1 +dnssec +short
> <no output>
> $ dig disa.mil @8.8.8.8 +dnssec +short
> 156.112.108.76
> A 8 2 7200 20181117145327 20181018145327 52983 disa.mil.
> dMS5WbQ5xJ0HuCBPZUkuoshf0A2n1tvxA75smhcFZNS5SHSOA0zsQaSc
> YOzNdu5gH6qFXA7TbKhPYN0RcPD+vVcmtfbzv3eJZfh4343IXlBznG6w
> aLaLt+kI6GGnPQ7skNWOcO4yLct+yaeNxTT95CZnHtwRUx3vzGHS3dJF GYc=
> [candrews@craigatwork vars]$ dig disa.mil @1.1.1.1 +dnssec +short
> 156.112.108.76
> ------
> So looking it up using Google's 8.8.8.8 or Cloudflare's 1.1.1.1 with
> dnssec works, but not with dnsmasq.
> 

As Matthias says elsewhere in the thread, the last sentence above
appears not to be correct: it does work with 8.8.8.8, but not with 1.1.1.1

srk@holly:~$ dig disa.mil @8.8.8.8 +dnssec +short
156.112.108.76
A 8 2 7200 20181117145327 20181018145327 52983 disa.mil.
dMS5WbQ5xJ0HuCBPZUkuoshf0A2n1tvxA75smhcFZNS5SHSOA0zsQaSc
YOzNdu5gH6qFXA7TbKhPYN0RcPD+vVcmtfbzv3eJZfh4343IXlBznG6w
aLaLt+kI6GGnPQ7skNWOcO4yLct+yaeNxTT95CZnHtwRUx3vzGHS3dJF GYc=
srk@holly:~$ dig disa.mil @1.1.1.1 +dnssec +short
156.112.108.76


The replies from 1.1.1.1 are missing the DNSSEC signatures, and this
appears to be a problem at Cloudflare, rather than a problem with
dnsmasq, or with the domain.

If I use 8.8.8.8 as upstream, dnsmasq validates fine. If I use 1.1.1.1
validation fails, because 1.1.1.1 is not returning the RRSIG RRs, even
though it's been asked to. Without those RRSIGs the reply can't be
validated.

This problem with 1.1.1.1 seems to extend to many more .mil domains.

TL;DR. Not a dnsmasq problem, not a domain problem, probably a
Cloudflare problem.

Craig, please could you report this to Cloudflare?


Cheers,

Simon.



_______________________________________________
Dnsmasq-discuss mailing list
Dnsmasq-discuss@lists.thekelleys.org.uk
http://lists.thekelleys.org.uk/mailman/listinfo/dnsmasq-discuss

Reply via email to