Hi Simon,

> A quick bit of differential analysis of the first query reveals that the
> problem is the mythic-beasts.com DNSKEY RRset.
> 
> 8.8.8.8, and the mythic-beasts authoritative server I tried gives the
> following answer for that RRset.
> 
> ;; ANSWER SECTION:
> mythic-beasts.com.    86400   IN      DNSKEY  257 3 10
> AwEAAaXuiwGP7BTBwrhYj8V+J7VQ+nalXaK3Mo5pXI4x//xD4O8ZN9ZF
> CMuvKYhPW+VjsDWYO/QT6KqcqHEErWgYjv/c5vdxJAkM5zfa8UJiOp0q
> X2S7RJinMkGqXz05YNp7o+ZE5W/Yykzwfn3k036Mrf4NY9FYKU5uznrc
> fzW4vP8vQzXLNBEn+/ErWfbG3mYFjmhYxVsvw0yoIAmhL6xzagdQHJId
> vc1G00tqjIFWXwqm3med63G/SX0ggiT/QPwe/D618wibbXu7cUpSjSpP
> NxSZg+pX+hejg1DTU6x3UJ6EwMIZWzCccAg0S4KJIy8uOZrifACD4okB OM6yRjFq+TM=
> mythic-beasts.com.    86400   IN      DNSKEY  256 3 10
> AwEAAc5oGCn44Da0km1yuWnqDWJV41f/ieZFaxZxdeRTwsTllcnw3H6a
> IHsgYwArtkWqVe9CatuXjBpVmdbS9xJ1V4KrSsGdasCnZpXbtoKKy7Be
> tCDUES89uhMG3noqi55rEU5OS3htgmx8fNIuVLuUto5KCbp3O9Rp3+9C
> 5yQbW3eZuuDwBDEJ2DgbikiTU80MexCzkhEB3ihXhYYOnEuk4n71cSYB
> IM1YcEFaECkLN/meQ077fiAgyF+hkMIzs/VFlA/mOtkNhJeP81lUVT37
> Gjo1w46qWilFtRq1TJTfB47XXDxoLHZZcFmtW9fk6BR/a+4NlxL7X8xI dII0Z9B3I40=
> mythic-beasts.com.    86400   IN      DNSKEY  256 3 10
> AwEAAbiUu+uoyM7HirzFV/VsIO+j0vLNBMcursO6mgjX8cZPrEHKZV0O
> NENhRZKrNL0hFVvpjW5I60qxGaBQ+VbcJyK8XMPPnYRnsRDRez9f5I92
> yOJDqjXNca0fj8iqqx9PztolU8SPUebhJgW22GQd2PHkKPDZaUa1Oag2
> OUq6JJRUPwmeZO9dMMtXa3kY/11nj5YoD8FpJPwCZv8VMbVFrORt0kMc
> HlpB/hLYpaxzPWKIs95V1o2rL0zxlIkKSwxuZCli7W5ipORB5NM2Vawq
> c6m6UfoOabP2SJUm/aTKlom/ZtS4kDaO/9DIeN0F3bG1nLFRRUwRaC4M UjNs4eHCapE=
> mythic-beasts.com.    86400   IN      RRSIG   DNSKEY 10 2 86400 20191002000509
> 20190901230509 42918 mythic-beasts.com.
> UltVyLHHD+qVowOQIqZLtTc9cA5T/O4t72EiLsgiH9oRjLz7D0MgB+F2
> 0TXv8OoufV3mzf2bjaou1ziIi6FBb5j1RQSqGT44O1zJyQmX40z3LQ3L
> UUB6hQU5eh9Q4JTgChHNDpvlvWBTnObTy6NuJn5hdtQKtGN8yZ4gGHM7
> gGB+Y2N595abpWcz9xq2mtXQgGbVJUshe+JfQ3JgU034eDTlvLBTdM73
> HVjpfbxCoMboXOCtjndEB0200gloJSumqdEnlFufWfISqXhruSIB6IKP
> 5o2yUSv4mtQUOtVm+RPwcIoprm6ON5Ln2tFHJlgquuJA5vhrIIl+/e99 qarI4Q==
> 
> 
> Note, three DNSKEY records and the signature that signs the RRset. Note
> that this is a self-signature: the signature, along with key 41918 signs
> the digest of the set of three records. key 41918 is proved to be valid
> by a separate DS record that propagates the chain of trust down from the
> .com zone.
> 
> The answer to the same query in your pcap has only two DNSKEY RRs. The
> value of the signature is different, so it's possible that this still a
> valid, but different, RRset. However dnsmasq thinks it is not valid, and
> my feeling is that we should try and answer the question "where has this
> RRset come from" before we assume it's valid and dnsmasq is mistaken.
> 
> So, what happens when you ask your upstream server the query
> 
> dig +dnssec DNSKEY mythic-beasts.com
> 
> ?

; <<>> DiG 9.11.10-RedHat-9.11.10-1.fc30 <<>> @87.238.33.1 +dnssec DNSKEY 
mythic-beasts.com
; (1 server found)
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 50476
;; flags: qr rd ra ad; QUERY: 1, ANSWER: 4, AUTHORITY: 0, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags: do; udp: 4096
;; QUESTION SECTION:
;mythic-beasts.com.             IN      DNSKEY

;; ANSWER SECTION:
mythic-beasts.com.      86397   IN      DNSKEY  256 3 10 
AwEAAbiUu+uoyM7HirzFV/VsIO+j0vLNBMcursO6mgjX8cZPrEHKZV0O 
NENhRZKrNL0hFVvpjW5I60qxGaBQ+VbcJyK8XMPPnYRnsRDRez9f5I92 
yOJDqjXNca0fj8iqqx9PztolU8SPUebhJgW22GQd2PHkKPDZaUa1Oag2 
OUq6JJRUPwmeZO9dMMtXa3kY/11nj5YoD8FpJPwCZv8VMbVFrORt0kMc 
HlpB/hLYpaxzPWKIs95V1o2rL0zxlIkKSwxuZCli7W5ipORB5NM2Vawq 
c6m6UfoOabP2SJUm/aTKlom/ZtS4kDaO/9DIeN0F3bG1nLFRRUwRaC4M UjNs4eHCapE=
mythic-beasts.com.      86397   IN      DNSKEY  256 3 10 
AwEAAc5oGCn44Da0km1yuWnqDWJV41f/ieZFaxZxdeRTwsTllcnw3H6a 
IHsgYwArtkWqVe9CatuXjBpVmdbS9xJ1V4KrSsGdasCnZpXbtoKKy7Be 
tCDUES89uhMG3noqi55rEU5OS3htgmx8fNIuVLuUto5KCbp3O9Rp3+9C 
5yQbW3eZuuDwBDEJ2DgbikiTU80MexCzkhEB3ihXhYYOnEuk4n71cSYB 
IM1YcEFaECkLN/meQ077fiAgyF+hkMIzs/VFlA/mOtkNhJeP81lUVT37 
Gjo1w46qWilFtRq1TJTfB47XXDxoLHZZcFmtW9fk6BR/a+4NlxL7X8xI dII0Z9B3I40=
mythic-beasts.com.      86397   IN      DNSKEY  257 3 10 
AwEAAaXuiwGP7BTBwrhYj8V+J7VQ+nalXaK3Mo5pXI4x//xD4O8ZN9ZF 
CMuvKYhPW+VjsDWYO/QT6KqcqHEErWgYjv/c5vdxJAkM5zfa8UJiOp0q 
X2S7RJinMkGqXz05YNp7o+ZE5W/Yykzwfn3k036Mrf4NY9FYKU5uznrc 
fzW4vP8vQzXLNBEn+/ErWfbG3mYFjmhYxVsvw0yoIAmhL6xzagdQHJId 
vc1G00tqjIFWXwqm3med63G/SX0ggiT/QPwe/D618wibbXu7cUpSjSpP 
NxSZg+pX+hejg1DTU6x3UJ6EwMIZWzCccAg0S4KJIy8uOZrifACD4okB OM6yRjFq+TM=
mythic-beasts.com.      86397   IN      RRSIG   DNSKEY 10 2 86400 
20191002000509 20190901230509 42918 mythic-beasts.com. 
UltVyLHHD+qVowOQIqZLtTc9cA5T/O4t72EiLsgiH9oRjLz7D0MgB+F2 
0TXv8OoufV3mzf2bjaou1ziIi6FBb5j1RQSqGT44O1zJyQmX40z3LQ3L 
UUB6hQU5eh9Q4JTgChHNDpvlvWBTnObTy6NuJn5hdtQKtGN8yZ4gGHM7 
gGB+Y2N595abpWcz9xq2mtXQgGbVJUshe+JfQ3JgU034eDTlvLBTdM73 
HVjpfbxCoMboXOCtjndEB0200gloJSumqdEnlFufWfISqXhruSIB6IKP 
5o2yUSv4mtQUOtVm+RPwcIoprm6ON5Ln2tFHJlgquuJA5vhrIIl+/e99 qarI4Q==

;; Query time: 2 msec
;; SERVER: 87.238.33.1#53(87.238.33.1)
;; WHEN: ty. sep. 03 18:12:01 CEST 2019
;; MSG SIZE  rcvd: 1179

(If you would like access to query this server yourself, just send me a ssh 
public key and I'll spin up a VM for you.)

In any case, to me it seems pointless for Dnsmasq to try to perform DNSSEC 
validation on proxy.mythic-beasts.com, considering that the www.ipv6.org.uk IN 
CNAME record is Insecure in the first place, so the answer to the original 
query cannot possibly be Secure.

(For what it's worth, Knot Resolver will just supply the addresses included in 
the answer to the original www.ipv6.org.uk IN A query, it doesn't chase down 
the signatures of the proxy.mythic-beasts.com domain name.)

Tore

_______________________________________________
Dnsmasq-discuss mailing list
Dnsmasq-discuss@lists.thekelleys.org.uk
http://lists.thekelleys.org.uk/mailman/listinfo/dnsmasq-discuss

Reply via email to