Some more information:

> When the bug occurs, the error «Insecure DS reply received, do upstream DNS 
> servers support DNSSEC?» is logged.

I think that the problem might be caused by this query in frames 7-8 of the 
PCAP:

    7   0.007426 192.168.1.155 → 84.208.20.110 DNS 81 Standard query 0x56e3 DS 
google.com OPT
    8   0.009033 84.208.20.110 → 192.168.1.155 DNS 639 Standard query response 
0x56e3 DS google.com SOA a.gtld-servers.net NSEC3 RRSIG NSEC3 RRSIG OPT

There is no RRSIG record included that covers the SOA record (only the two 
NSEC3 records)

Occasionally (less than 5% of the time) my ISP's DNS server *does* include a 
RRSIG for the SOA record, though:

  194  31.307161 192.168.1.155 → 84.208.20.110 DNS 83 Standard query 0x8ade DS 
google.com OPT
  195  31.309053 84.208.20.110 → 192.168.1.155 DNS 804 Standard query response 
0x8ade DS google.com SOA a.gtld-servers.net RRSIG NSEC3 RRSIG NSEC3 RRSIG OPT

When it does, Dnsmasq is able to answer the query successfully with the correct 
Insecure verdict (and cache it).

So the question then becomes: why does Dnsmasq require this RRSIG record, when 
other validating resolvers apparently do not?

> I have also observed the issue occurring while using public DNS servers like 
> 4.2.2.2 instead of 84.208.20.110.

I now believe this was an unrelated problem, cf. 
https://mobile.twitter.com/toreanderson/status/1165225237115543554

Tore

_______________________________________________
Dnsmasq-discuss mailing list
Dnsmasq-discuss@lists.thekelleys.org.uk
http://lists.thekelleys.org.uk/mailman/listinfo/dnsmasq-discuss

Reply via email to