I would suggest using delv +vtrace @8.8.8.8
Then compare it with delv +vtrace @127.0.0.1
It is not about the AD flag, dnsmasq would set it itself. But there have
to be RRSIG records when you do dig +dnssec. All 1.1.1.1, 8.8.8.8 or
9.9.9.9 should support DNSSEC just fine. Is it possible your request are
intercepted on the way by different server?
You would have to use DNS over TLS or DNS over HTTPS, which dnsmasq does
not support. Or maybe just different internet provider.
On 08. 06. 22 13:04, Stuart Bailey wrote:
Hello,
I have dnsmasq running on a Debian server / router, configured so that
clients on the 'LAN' side can send DNS queries to the server rather
than directly to the Internet. I'd like to configure dnsmasq to
validate DNSSEC responses, but when I add the lines:
conf-file=/usr/share/dnsmasq-base/trust-anchors.conf
dnssec
to my config file, all DNS request to forwarders no fail.
If I run
dig +dnssec @8.8.8.8 <lookup domain>
directly on the server, I get the expected response with the 'ad' flag
as appropriate.
My dnsmasq.conf file looks like:
# Configuration file for dnsmasq.
#
domain-needed
bogus-priv
localise-queries
domain=integra-edge.io
no-hosts
local=/integra-edge.io/
port=53
log-queries
log-debug
max-ttl=1
listen-address=127.0.0.1
cache-size=1000
no-resolv
no-poll
strict-order
server=1.1.1.1
server=8.8.8.8
server=9.9.9.9
conf-file=/usr/share/dnsmasq-base/trust-anchors.conf
dnssec
#dnssec-check-unsigned
dhcp-leasefile=/var/lib/dhcp/dnsmasq.leases
conf-dir=/etc/dnsmasq.d/dhcp,*.conf
Using tcpdump, I can see that dnsmasq seems to get stuck on the DNSKEY
request:
10:59:15.431106 IP 192.168.20.55.43867 > dns9.quad9.net.domain: 33763+
[1au] A? bbc.co.uk. (50)
10:59:15.471293 IP dns9.quad9.net.domain > 192.168.20.55.43867: 33763
4/0/1 A 151.101.192.81, A 151.101.64.81, A 151.101.0.81, A
151.101.128.81 (102)
10:59:15.471497 IP 192.168.20.55.45970 > dns9.quad9.net.domain: 27235+
[1au] DS? uk. (31)
10:59:15.508817 IP dns9.quad9.net.domain > 192.168.20.55.45970: 27235$
2/0/1 DS, RRSIG (366)
10:59:15.509375 IP 192.168.20.55.60968 > dns9.quad9.net.domain: 38502+
[1au] DNSKEY? . (28)
10:59:20.434731 IP 192.168.20.55.60968 > dns9.quad9.net.domain: 38502+
[1au] DNSKEY? . (28)
10:59:25.438660 IP 192.168.20.55.60968 > dns9.quad9.net.domain: 38502+
[1au] DNSKEY? . (28)
But using dig directly as above, I only get:
11:00:42.118765 IP 192.168.20.55.34235 > dns9.quad9.net.domain: 47855+
[1au] A? bbc.co.uk. (50)
11:00:42.149587 IP dns9.quad9.net.domain > 192.168.20.55.34235: 47855
4/0/1 A 151.101.64.81, A 151.101.128.81, A 151.101.192.81, A
151.101.0.81 (102)
I am running Debian 11 (bullseye) with dnsmasq version 2.85
my trust-anchors.conf file is the standard file shipped with Bullseye.
Many thanks,
Stuart
/This email and any attachments are confidential and intended solely
for the individual to whom it is addressed. Any view or opinion
expressed belongs solely to the author and does not necessarily
represent those of Applied Satellite Technology Ltd, its subsidiaries
or any affiliated group company (AST). If you are not the intended
recipient please do not disclose, copy or distribute information in
this email nor take any action in reliance of its content; to do so is
strictly prohibited and may be unlawful. Please inform us if you have
received this message in error before deleting it. All liability is
excluded to the extent permitted by law for any claims arising as a
result of the use of this medium to transmit information by or to AST.
Thank you for your co-operation.
Applied Satellite Technology Ltd | Company Number: 2153172 England |
Registered Office: Satellite House, Bessemer Way, Harfreys Industrial
Estate, Great Yarmouth, Norfolk NR31 0LX (UK)
/
_______________________________________________
Dnsmasq-discuss mailing list
Dnsmasq-discuss@lists.thekelleys.org.uk
https://lists.thekelleys.org.uk/cgi-bin/mailman/listinfo/dnsmasq-discuss
--
Petr Menšík
Software Engineer, RHEL
Red Hat,http://www.redhat.com/
PGP: DFCF908DB7C87E8E529925BC4931CA5B6C9FC5CB
_______________________________________________
Dnsmasq-discuss mailing list
Dnsmasq-discuss@lists.thekelleys.org.uk
https://lists.thekelleys.org.uk/cgi-bin/mailman/listinfo/dnsmasq-discuss
