* Tore Anderson

> I can confirm that Dnsmasq 69a0477 resolves www.linuxquestions.org and 
> www.ipv6.org.uk as expected (DNSSEC state insecure). Great work, thanks!

Apologies, I botched my test (using the wrong upstream server). It does *not* 
work, but the error is different:

$ src/dnsmasq -d -p 5353
dnsmasq: started, version 2.80-71-g69a0477 cachesize 150
dnsmasq: compile time options: IPv6 GNU-getopt DBus no-UBus no-i18n IDN2 DHCP 
DHCPv6 no-Lua TFTP no-conntrack ipset auth DNSSEC loop-detect inotify dumpfile
dnsmasq: DNSSEC validation enabled
dnsmasq: configured with trust anchor for <root> keytag 20326
dnsmasq: configured with trust anchor for <root> keytag 19036
dnsmasq: using nameserver 87.238.33.1#53
dnsmasq: cleared cache
dnsmasq: query[A] www.ipv6.org.uk from 127.0.0.1
dnsmasq: forwarded www.ipv6.org.uk to 87.238.33.1
dnsmasq: dnssec-query[DS] uk to 87.238.33.1
dnsmasq: dnssec-query[DNSKEY] . to 87.238.33.1
dnsmasq: reply . is DNSKEY keytag 59944, algo 8
dnsmasq: reply . is DNSKEY keytag 20326, algo 8
dnsmasq: reply uk is DS keytag 43876, algo 8, digest 2
dnsmasq: dnssec-query[DS] org.uk to 87.238.33.1
dnsmasq: dnssec-query[DNSKEY] uk to 87.238.33.1
dnsmasq: reply uk is DNSKEY keytag 43876, algo 8
dnsmasq: reply uk is DNSKEY keytag 43056, algo 8
dnsmasq: reply org.uk is DS keytag 41523, algo 8, digest 2
dnsmasq: dnssec-query[DS] ipv6.org.uk to 87.238.33.1
dnsmasq: dnssec-query[DNSKEY] org.uk to 87.238.33.1
dnsmasq: reply org.uk is DNSKEY keytag 41523, algo 8
dnsmasq: reply ipv6.org.uk is no DS
dnsmasq: dnssec-query[DS] ipv6.org.uk to 87.238.33.1
dnsmasq: reply ipv6.org.uk is no DS
dnsmasq: dnssec-query[DS] ipv6.org.uk to 87.238.33.1
dnsmasq: reply ipv6.org.uk is no DS
dnsmasq: dnssec-query[DS] ipv6.org.uk to 87.238.33.1
dnsmasq: reply ipv6.org.uk is no DS
dnsmasq: dnssec-query[DS] ipv6.org.uk to 87.238.33.1
dnsmasq: reply ipv6.org.uk is no DS
[...]

This query is repeated ~44 times in a tight loop. It makes a total of 50 
queries before giving up, I guess it hits a built-in limit.

PCAP attached.

It seems to happen with *all* Insecure domain names (not only those that have 
CNAMES pointing to other Secure domain names).

Tore

Attachment: foo.pcap
Description: application/vnd.tcpdump.pcap

_______________________________________________
Dnsmasq-discuss mailing list
Dnsmasq-discuss@lists.thekelleys.org.uk
http://lists.thekelleys.org.uk/mailman/listinfo/dnsmasq-discuss

Reply via email to