It looks like it's the same. I can't query the www.vp4.navy.mil site listed in that other report with validation enabled either.


dnsmasq[14688]: 323 192.168.42.2/60372 query[A] www.vp4.navy.mil from 192.168.42.2
dnsmasq[14688]: 323 192.168.42.2/60372 forwarded www.vp4.navy.mil to 1.1.1.1
dnsmasq[14688]: * 192.168.42.2/60372 dnssec-query[DS] vp4.navy.mil to 1.1.1.1 dnsmasq[14688]: Insecure DS reply received, do upstream DNS servers support DNSSEC?
dnsmasq[14688]: * 192.168.42.2/60372 reply vp4.navy.mil is BOGUS DS
dnsmasq[14688]: 323 192.168.42.2/60372 validation www.vp4.navy.mil is BOGUS
dnsmasq[14688]: 323 192.168.42.2/60372 reply www.vp4.navy.mil is <CNAME>

dnsmasq[14688]: 7 192.168.42.2/43514 query[A] 60bb35df-3fe6-47fd-9912-9c43cbb67cdd.is-cf.cloudflareresolve.com from 192.168.42.2 dnsmasq[14688]: 7 192.168.42.2/43514 forwarded 60bb35df-3fe6-47fd-9912-9c43cbb67cdd.is-cf.cloudflareresolve.com to 1.1.1.1 dnsmasq[14688]: * 192.168.42.2/43514 dnssec-query[DS] cloudflareresolve.com to 1.1.1.1 dnsmasq[14688]: * 192.168.42.2/43514 reply cloudflareresolve.com is DS keytag 64088, algo 13, digest 2 dnsmasq[14688]: * 192.168.42.2/43514 dnssec-query[DS] is-cf.cloudflareresolve.com to 1.1.1.1
dnsmasq[14688]: * 192.168.42.2/43514 dnssec-query[DS] net to 1.1.1.1
dnsmasq[14688]: * 192.168.42.2/43514 reply net is DS keytag 35886, algo 8, digest 2 dnsmasq[14688]: * 192.168.42.2/43514 dnssec-query[DS] cloudflare.net to 1.1.1.1
dnsmasq[14688]: * 192.168.42.2/43514 dnssec-query[DNSKEY] net to 1.1.1.1
dnsmasq[14688]: * 192.168.42.2/43514 reply net is DNSKEY keytag 35886, algo 8
dnsmasq[14688]: * 192.168.42.2/43514 reply net is DNSKEY keytag 2129, algo 8
dnsmasq[14688]: * 192.168.42.2/43514 reply net is DNSKEY keytag 59540, algo 8 dnsmasq[14688]: * 192.168.42.2/43514 reply cloudflare.net is DS keytag 2371, algo 13, digest 2 dnsmasq[14688]: * 192.168.42.2/43514 dnssec-query[DNSKEY] cloudflare.net to 1.1.1.1 dnsmasq[14688]: * 192.168.42.2/43514 reply cloudflare.net is DNSKEY keytag 34505, algo 13 dnsmasq[14688]: * 192.168.42.2/43514 reply cloudflare.net is DNSKEY keytag 2371, algo 13 dnsmasq[14688]: Insecure DS reply received, do upstream DNS servers support DNSSEC? dnsmasq[14688]: * 192.168.42.2/43514 reply is-cf.cloudflareresolve.com is BOGUS DS dnsmasq[14688]: 7 192.168.42.2/43514 validation 60bb35df-3fe6-47fd-9912-9c43cbb67cdd.is-cf.cloudflareresolve.com is BOGUS dnsmasq[14688]: 7 192.168.42.2/43514 reply 60bb35df-3fe6-47fd-9912-9c43cbb67cdd.is-cf.cloudflareresolve.com is <CNAME> dnsmasq[14688]: 7 192.168.42.2/43514 reply is-cf.cloudflareresolve.com.cdn.cloudflare.net is 104.16.225.45 dnsmasq[14688]: 7 192.168.42.2/43514 reply is-cf.cloudflareresolve.com.cdn.cloudflare.net is 104.16.224.45


Hamish


On 17/7/19 9:59 pm, Simon Kelley wrote:
I'm not in a position to look at this for a few days, but in the meantime,


http://lists.thekelleys.org.uk/pipermail/dnsmasq-discuss/2019q1/012910.html


discusses a situation which looks, at least superficially, similar. It
might be worth turning on DNS logging and seeing if the similarity goes
deeper.

Cheers,

Simon.



Simon.On 17/07/2019 06:41, Hamish Moffatt wrote:
Hi,

I'm trying to enable DNSSEC validation in dnsmasq 2.80, on my OpenWRT
router. For upstream, I'm using 1.1.1.1. With DNSSEC validation on, when
I visit the Cloudflare test site
https://www.cloudflare.com/ssl/encrypted-sni/ , it says it can't
determine if I have secure DNS enabled.


It's trying to look up
60bb35df-3fe6-47fd-9912-9c43cbb67cdd.is-cf.cloudflareresolve.com, which
is failing. dnsmasq is logging:

Wed Jul 17 15:24:27 2019 daemon.warn dnsmasq[5733]: Insecure DS reply
received, do upstream DNS servers support DNSSEC?


; <<>> DiG 9.11.5-P4-5.1-Debian <<>> +dnssec
60bb35df-3fe6-47fd-9912-9c43cbb67cdd.is-cf.cloudflareresolve.com
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: SERVFAIL, id: 27559
;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 1


This is weird because if I query 1.1.1.1 directly with dig, it succeeds:

; <<>> DiG 9.11.5-P4-5.1-Debian <<>> +dnssec
60bb35df-3fe6-47fd-9912-9c43cbb67cdd.is-cf.cloudflareresolve.com @1.1.1.1
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 12981
;; flags: qr rd ra ad; QUERY: 1, ANSWER: 4, AUTHORITY: 0, ADDITIONAL: 1


Ultimately I'm trying to have dnsmasq talk to stubby to do DNS over TLS.
If I query stubby directly, it also succeeds.


It seems to work OK with other domains like cloudflare.com, just not the
test site.


Hamish


_______________________________________________
Dnsmasq-discuss mailing list
Dnsmasq-discuss@lists.thekelleys.org.uk
http://lists.thekelleys.org.uk/mailman/listinfo/dnsmasq-discuss

_______________________________________________
Dnsmasq-discuss mailing list
Dnsmasq-discuss@lists.thekelleys.org.uk
http://lists.thekelleys.org.uk/mailman/listinfo/dnsmasq-discuss



_______________________________________________
Dnsmasq-discuss mailing list
Dnsmasq-discuss@lists.thekelleys.org.uk
http://lists.thekelleys.org.uk/mailman/listinfo/dnsmasq-discuss

Reply via email to