On 03/09/2019 18:29, Tore Anderson wrote: > * Tore Anderson > >> Apologies, I botched my test (using the wrong upstream server). It does >> *not* work, but the error is different: >> >> $ src/dnsmasq -d -p 5353 >> dnsmasq: started, version 2.80-71-g69a0477 cachesize 150 >> dnsmasq: compile time options: IPv6 GNU-getopt DBus no-UBus no-i18n IDN2 >> DHCP DHCPv6 no-Lua TFTP no-conntrack ipset auth DNSSEC loop-detect inotify >> dumpfile >> dnsmasq: DNSSEC validation enabled >> dnsmasq: configured with trust anchor for <root> keytag 20326 >> dnsmasq: configured with trust anchor for <root> keytag 19036 >> dnsmasq: using nameserver 87.238.33.1#53 >> dnsmasq: cleared cache >> dnsmasq: query[A] www.ipv6.org.uk from 127.0.0.1 >> dnsmasq: forwarded www.ipv6.org.uk to 87.238.33.1 >> dnsmasq: dnssec-query[DS] uk to 87.238.33.1 >> dnsmasq: dnssec-query[DNSKEY] . to 87.238.33.1 >> dnsmasq: reply . is DNSKEY keytag 59944, algo 8 >> dnsmasq: reply . is DNSKEY keytag 20326, algo 8 >> dnsmasq: reply uk is DS keytag 43876, algo 8, digest 2 >> dnsmasq: dnssec-query[DS] org.uk to 87.238.33.1 >> dnsmasq: dnssec-query[DNSKEY] uk to 87.238.33.1 >> dnsmasq: reply uk is DNSKEY keytag 43876, algo 8 >> dnsmasq: reply uk is DNSKEY keytag 43056, algo 8 >> dnsmasq: reply org.uk is DS keytag 41523, algo 8, digest 2 >> dnsmasq: dnssec-query[DS] ipv6.org.uk to 87.238.33.1 >> dnsmasq: dnssec-query[DNSKEY] org.uk to 87.238.33.1 >> dnsmasq: reply org.uk is DNSKEY keytag 41523, algo 8 >> dnsmasq: reply ipv6.org.uk is no DS >> dnsmasq: dnssec-query[DS] ipv6.org.uk to 87.238.33.1 >> dnsmasq: reply ipv6.org.uk is no DS >> dnsmasq: dnssec-query[DS] ipv6.org.uk to 87.238.33.1 >> dnsmasq: reply ipv6.org.uk is no DS >> dnsmasq: dnssec-query[DS] ipv6.org.uk to 87.238.33.1 >> dnsmasq: reply ipv6.org.uk is no DS >> dnsmasq: dnssec-query[DS] ipv6.org.uk to 87.238.33.1 >> dnsmasq: reply ipv6.org.uk is no DS >> [...] >> >> This query is repeated ~44 times in a tight loop. It makes a total of 50 >> queries before giving up, I guess it hits a built-in limit. >> >> PCAP attached. >> >> It seems to happen with *all* Insecure domain names (not only those that >> have CNAMES pointing to other Secure domain names). > > Bisected: > > ae7a3b9d2e8705af203a1347c397718a24331747 is the first bad commit > commit ae7a3b9d2e8705af203a1347c397718a24331747 > Author: Simon Kelley <si...@thekelleys.org.uk> > Date: Tue Sep 3 14:40:47 2019 +0100 > > DNSSEC: implement RFC-4036 para 5.3.3. rules on TTL values. > > :040000 040000 52d7ead3d28019308dff0cb0dfcd80e4ef0341de > 60ff380eb9c6b813d5081dee470d276be2109480 M src > > If I revert this one, www.ipv6.org.uk and www.linuxquestions.org both resolve > fine (as Insecure). So the fix in 69a0477 seems good. >
OK. I think I see the problem...... http://thekelleys.org.uk/gitweb/?p=dnsmasq.git;a=commit;h=e24abf28a29574069717af78c1d3e0ede64388ff should fix. Simon. > Tore > > _______________________________________________ > Dnsmasq-discuss mailing list > Dnsmasq-discuss@lists.thekelleys.org.uk > http://lists.thekelleys.org.uk/mailman/listinfo/dnsmasq-discuss > _______________________________________________ Dnsmasq-discuss mailing list Dnsmasq-discuss@lists.thekelleys.org.uk http://lists.thekelleys.org.uk/mailman/listinfo/dnsmasq-discuss