Re: [Dnsmasq-discuss] querying DS from wrong server

Sun, 06 Jul 2025 16:29:02 -0700 


On 6/23/25 21:44, Uwe Kleine-König wrote:

Hello,

back in January I hit a DNSSEC related problem that I reported on that
list, and that resulted in commit
8ce27433f8b2e17c557cb55e4f16941d309deeac.

Now I slightly changed my setup to make it more robust, it works as
follows now:

I have a authoritative DNS server for kleine-koenig.org running on
[::1]:10053 and dnsmasq (running on OpenWrt) configured with

        server=/kleine-koenig.org/::1#10053
        domain=kk4.kleine-koenig.org

. The problem I have now is that a dnssec verifying resolver querying the
forwarding side of dnsmasq sees:

        $ delv www.kleine-koenig.org
        ;; broken trust chain resolving 'kleine-koenig.org/DNSKEY/IN': ::1#53
        ;; broken trust chain resolving 'www.kleine-koenig.org/A/IN': 
127.0.0.1#53
        ;; resolution failed: broken trust chain

I think the problem is that the DS query for kleine-koenig.org is also
forwarded to [::1]:10053. Instead it should be forwarded to the same
server that (non-DS) queries for .org are sent to.

So the logic implemented in 8ce27433f8b2e17c557cb55e4f16941d309deeac was
to short-sighted, a DS query should always go to the parent; not only for
the zones that dnsmasq is authoritative for.


Agreed, I just pushed 2.92test15 which implements this.

I did a load of testing, and I think every situation works now.


Domain specific server, no DNSSEC records, for a domain which is 
provably not signed higher up the hierarchy.



Domain specific server, no DNSSEC records, for a domain which should be 
signed. (Dnsmasq gives this the benefit of the doubt, but logs a warning.)



Domain specific server with DNSSEC records, that the higher domains 
don't have  DS record for, but there is trust anchor in dnsmasq config.



Domain specific server with DNSSEC records, that the higher domains do 
have  DS record for.



For those last two, DS queries work the same way, returning either the 
local trust anchor, or the DS from the parent.




Cheers,

Simon.




(Hmm, the DS query has the RD flag set, does that mean that the server
specified in a --server option has to be a recursor?)

Best regards
Uwe


_______________________________________________
Dnsmasq-discuss mailing list
[email protected]
https://lists.thekelleys.org.uk/cgi-bin/mailman/listinfo/dnsmasq-discuss



_______________________________________________
Dnsmasq-discuss mailing list
[email protected]
https://lists.thekelleys.org.uk/cgi-bin/mailman/listinfo/dnsmasq-discuss






















					Reply via email to