Hi,

I'm trying to enable DNSSEC validation in dnsmasq 2.80, on my OpenWRT router. For upstream, I'm using 1.1.1.1. With DNSSEC validation on, when I visit the Cloudflare test site https://www.cloudflare.com/ssl/encrypted-sni/ , it says it can't determine if I have secure DNS enabled.


It's trying to look up 60bb35df-3fe6-47fd-9912-9c43cbb67cdd.is-cf.cloudflareresolve.com, which is failing. dnsmasq is logging:

Wed Jul 17 15:24:27 2019 daemon.warn dnsmasq[5733]: Insecure DS reply received, do upstream DNS servers support DNSSEC?


; <<>> DiG 9.11.5-P4-5.1-Debian <<>> +dnssec 60bb35df-3fe6-47fd-9912-9c43cbb67cdd.is-cf.cloudflareresolve.com
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: SERVFAIL, id: 27559
;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 1


This is weird because if I query 1.1.1.1 directly with dig, it succeeds:

; <<>> DiG 9.11.5-P4-5.1-Debian <<>> +dnssec 60bb35df-3fe6-47fd-9912-9c43cbb67cdd.is-cf.cloudflareresolve.com @1.1.1.1
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 12981
;; flags: qr rd ra ad; QUERY: 1, ANSWER: 4, AUTHORITY: 0, ADDITIONAL: 1


Ultimately I'm trying to have dnsmasq talk to stubby to do DNS over TLS. If I query stubby directly, it also succeeds.


It seems to work OK with other domains like cloudflare.com, just not the test site.


Hamish


_______________________________________________
Dnsmasq-discuss mailing list
Dnsmasq-discuss@lists.thekelleys.org.uk
http://lists.thekelleys.org.uk/mailman/listinfo/dnsmasq-discuss

Reply via email to