On 18/07/2019 10:57, Hamish Moffatt wrote:
> Yes it does work with 8.8.8.8.
> 
> It works if I query 1.1.1.1 directly with dig though, or use proxy-dnssec.

The problem is not the answer to the query, it's that for dnsmasq to
validate the answer, it has to make a set of further queries, and
Cloludflare's answer to one of those queries is strange and/or wrong,
the requested data is provided, but not the digital signature which
validates it. I've only seen this effect from Cloudflare, and, as I
recall, only sometimes, repeating the query sometimes gets the expected
answer.

Cheers,

Simon.

> 
> 
> Thanks,
> Hamish
> 
> PS Did you mean to reply off-list?

No, my mistake, I've added the list back.

> 
> 
> On 18/7/19 7:03 pm, Simon Kelley wrote:
>> Does is work if you use 8.8.8.8 instead if 1.1.1.1? I'm pretty sure this
>> is a cloudflare bug, but I've failed to get them to take notice of it so
>> far.
>>
>>
>> Simon.
>>
>>
>> On 18/07/2019 02:37, Hamish Moffatt wrote:
>>> It looks like it's the same. I can't query the www.vp4.navy.mil site
>>> listed in that other report with validation enabled either.
>>>
>>>
>>> dnsmasq[14688]: 323 192.168.42.2/60372 query[A] www.vp4.navy.mil from
>>> 192.168.42.2
>>> dnsmasq[14688]: 323 192.168.42.2/60372 forwarded www.vp4.navy.mil to
>>> 1.1.1.1
>>> dnsmasq[14688]: * 192.168.42.2/60372 dnssec-query[DS] vp4.navy.mil to
>>> 1.1.1.1
>>> dnsmasq[14688]: Insecure DS reply received, do upstream DNS servers
>>> support DNSSEC?
>>> dnsmasq[14688]: * 192.168.42.2/60372 reply vp4.navy.mil is BOGUS DS
>>> dnsmasq[14688]: 323 192.168.42.2/60372 validation www.vp4.navy.mil is
>>> BOGUS
>>> dnsmasq[14688]: 323 192.168.42.2/60372 reply www.vp4.navy.mil is <CNAME>
>>>
>>> dnsmasq[14688]: 7 192.168.42.2/43514 query[A]
>>> 60bb35df-3fe6-47fd-9912-9c43cbb67cdd.is-cf.cloudflareresolve.com from
>>> 192.168.42.2
>>> dnsmasq[14688]: 7 192.168.42.2/43514 forwarded
>>> 60bb35df-3fe6-47fd-9912-9c43cbb67cdd.is-cf.cloudflareresolve.com to
>>> 1.1.1.1
>>> dnsmasq[14688]: * 192.168.42.2/43514 dnssec-query[DS]
>>> cloudflareresolve.com to 1.1.1.1
>>> dnsmasq[14688]: * 192.168.42.2/43514 reply cloudflareresolve.com is DS
>>> keytag 64088, algo 13, digest 2
>>> dnsmasq[14688]: * 192.168.42.2/43514 dnssec-query[DS]
>>> is-cf.cloudflareresolve.com to 1.1.1.1
>>> dnsmasq[14688]: * 192.168.42.2/43514 dnssec-query[DS] net to 1.1.1.1
>>> dnsmasq[14688]: * 192.168.42.2/43514 reply net is DS keytag 35886, algo
>>> 8, digest 2
>>> dnsmasq[14688]: * 192.168.42.2/43514 dnssec-query[DS] cloudflare.net to
>>> 1.1.1.1
>>> dnsmasq[14688]: * 192.168.42.2/43514 dnssec-query[DNSKEY] net to 1.1.1.1
>>> dnsmasq[14688]: * 192.168.42.2/43514 reply net is DNSKEY keytag 35886,
>>> algo 8
>>> dnsmasq[14688]: * 192.168.42.2/43514 reply net is DNSKEY keytag 2129,
>>> algo 8
>>> dnsmasq[14688]: * 192.168.42.2/43514 reply net is DNSKEY keytag 59540,
>>> algo 8
>>> dnsmasq[14688]: * 192.168.42.2/43514 reply cloudflare.net is DS keytag
>>> 2371, algo 13, digest 2
>>> dnsmasq[14688]: * 192.168.42.2/43514 dnssec-query[DNSKEY] cloudflare.net
>>> to 1.1.1.1
>>> dnsmasq[14688]: * 192.168.42.2/43514 reply cloudflare.net is DNSKEY
>>> keytag 34505, algo 13
>>> dnsmasq[14688]: * 192.168.42.2/43514 reply cloudflare.net is DNSKEY
>>> keytag 2371, algo 13
>>> dnsmasq[14688]: Insecure DS reply received, do upstream DNS servers
>>> support DNSSEC?
>>> dnsmasq[14688]: * 192.168.42.2/43514 reply is-cf.cloudflareresolve.com
>>> is BOGUS DS
>>> dnsmasq[14688]: 7 192.168.42.2/43514 validation
>>> 60bb35df-3fe6-47fd-9912-9c43cbb67cdd.is-cf.cloudflareresolve.com is
>>> BOGUS
>>> dnsmasq[14688]: 7 192.168.42.2/43514 reply
>>> 60bb35df-3fe6-47fd-9912-9c43cbb67cdd.is-cf.cloudflareresolve.com is
>>> <CNAME>
>>> dnsmasq[14688]: 7 192.168.42.2/43514 reply
>>> is-cf.cloudflareresolve.com.cdn.cloudflare.net is 104.16.225.45
>>> dnsmasq[14688]: 7 192.168.42.2/43514 reply
>>> is-cf.cloudflareresolve.com.cdn.cloudflare.net is 104.16.224.45
>>>
>>>
>>> Hamish
>>>
>>>
>>> On 17/7/19 9:59 pm, Simon Kelley wrote:
>>>> I'm not in a position to look at this for a few days, but in the
>>>> meantime,
>>>>
>>>>
>>>> http://lists.thekelleys.org.uk/pipermail/dnsmasq-discuss/2019q1/012910.html
>>>>
>>>>
>>>>
>>>>
>>>> discusses a situation which looks, at least superficially, similar. It
>>>> might be worth turning on DNS logging and seeing if the similarity goes
>>>> deeper.
>>>>
>>>> Cheers,
>>>>
>>>> Simon.
>>>>
>>>>
>>>>
>>>> Simon.On 17/07/2019 06:41, Hamish Moffatt wrote:
>>>>> Hi,
>>>>>
>>>>> I'm trying to enable DNSSEC validation in dnsmasq 2.80, on my OpenWRT
>>>>> router. For upstream, I'm using 1.1.1.1. With DNSSEC validation on,
>>>>> when
>>>>> I visit the Cloudflare test site
>>>>> https://www.cloudflare.com/ssl/encrypted-sni/ , it says it can't
>>>>> determine if I have secure DNS enabled.
>>>>>
>>>>>
>>>>> It's trying to look up
>>>>> 60bb35df-3fe6-47fd-9912-9c43cbb67cdd.is-cf.cloudflareresolve.com,
>>>>> which
>>>>> is failing. dnsmasq is logging:
>>>>>
>>>>> Wed Jul 17 15:24:27 2019 daemon.warn dnsmasq[5733]: Insecure DS reply
>>>>> received, do upstream DNS servers support DNSSEC?
>>>>>
>>>>>
>>>>> ; <<>> DiG 9.11.5-P4-5.1-Debian <<>> +dnssec
>>>>> 60bb35df-3fe6-47fd-9912-9c43cbb67cdd.is-cf.cloudflareresolve.com
>>>>> ;; global options: +cmd
>>>>> ;; Got answer:
>>>>> ;; ->>HEADER<<- opcode: QUERY, status: SERVFAIL, id: 27559
>>>>> ;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 1
>>>>>
>>>>>
>>>>> This is weird because if I query 1.1.1.1 directly with dig, it
>>>>> succeeds:
>>>>>
>>>>> ; <<>> DiG 9.11.5-P4-5.1-Debian <<>> +dnssec
>>>>> 60bb35df-3fe6-47fd-9912-9c43cbb67cdd.is-cf.cloudflareresolve.com
>>>>> @1.1.1.1
>>>>> ;; global options: +cmd
>>>>> ;; Got answer:
>>>>> ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 12981
>>>>> ;; flags: qr rd ra ad; QUERY: 1, ANSWER: 4, AUTHORITY: 0,
>>>>> ADDITIONAL: 1
>>>>>
>>>>>
>>>>> Ultimately I'm trying to have dnsmasq talk to stubby to do DNS over
>>>>> TLS.
>>>>> If I query stubby directly, it also succeeds.
>>>>>
>>>>>
>>>>> It seems to work OK with other domains like cloudflare.com, just
>>>>> not the
>>>>> test site.
>>>>>
>>>>>
>>>>> Hamish
>>>>>
>>>>>
>>>>> _______________________________________________
>>>>> Dnsmasq-discuss mailing list
>>>>> Dnsmasq-discuss@lists.thekelleys.org.uk
>>>>> http://lists.thekelleys.org.uk/mailman/listinfo/dnsmasq-discuss
>>>>>
>>>> _______________________________________________
>>>> Dnsmasq-discuss mailing list
>>>> Dnsmasq-discuss@lists.thekelleys.org.uk
>>>> http://lists.thekelleys.org.uk/mailman/listinfo/dnsmasq-discuss
>>>
>>>
>>> _______________________________________________
>>> Dnsmasq-discuss mailing list
>>> Dnsmasq-discuss@lists.thekelleys.org.uk
>>> http://lists.thekelleys.org.uk/mailman/listinfo/dnsmasq-discuss
>>>
> 
> 

_______________________________________________
Dnsmasq-discuss mailing list
Dnsmasq-discuss@lists.thekelleys.org.uk
http://lists.thekelleys.org.uk/mailman/listinfo/dnsmasq-discuss

Reply via email to