Re: [Dnsmasq-discuss] dnsmasq treats Islands of Security as bogus

[Simon Kelley]

This is a real problem, and I plan to look at it (and all the other
stuff I've been ignoring.) ASAP. I'm moving house just now, so very
short of time. If I don't produce something by the end of next week,
please prod me again.


Cheers,

Simon.


On 27/03/17 16:37, Patryk Szczygłowski wrote:
> Hello,
> 
> I have domain signed with DNSSEC: patryk.one.pl 
> The issue is, the parent one.pl  is completely void of
> DNSSEC support (and it will probably never get fixed).
> 
> Therefore:
> - . is signed
> - .pl is signed, no DS for .one.pl 
> - .one.pl  is NOT signed, no DNSKEY, no DS for
> .patryk.one.pl 
> - .patryk.one.pl  is signed
> 
> My domain is registered with dlv.isc.org , but this
> not important anymore, as they announced closing down.
> 
> Have a look here:
> http://dnsviz.net/d/patryk.one.pl/dnssec/
> 
> The issue is dnsmasq is returning BOGUS instead of INSECURE. In
> consequence the domain does not resolve.
> I believe it is in contradiction with RFC:
> https://tools.ietf.org/html/rfc4035#section-5.1
> 
> It should mark BOGUS only if top-bottom validation determies DS in
> parent but missing DNSKEY in child.
> 
> Current behaviour is promoting a race condition, when the domain owner
> enabled DNSSEC, but didn't upload DS to parent and/or it didn't propagate.
> 
> The same situation was few years ago, when TLDs were gradually enabled,
> when for a while they were signed with DNSKEY without DS being set on
> parent, only to be put several months later. There are still unsigned
> TLDs and I think they will stop being resolved completely when this
> happens again.
> 
> Google Public DNS behaviour is correct.
> 
> -- 
> Patryk Szczygłowski
> 
> 
> ___
> Dnsmasq-discuss mailing list
> Dnsmasq-discuss@lists.thekelleys.org.uk
> http://lists.thekelleys.org.uk/mailman/listinfo/dnsmasq-discuss
> 



signature.asc
Description: OpenPGP digital signature
___
Dnsmasq-discuss mailing list
Dnsmasq-discuss@lists.thekelleys.org.uk
http://lists.thekelleys.org.uk/mailman/listinfo/dnsmasq-discuss

[Dnsmasq-discuss] dnsmasq treats Islands of Security as bogus

[Patryk Szczygłowski]

Hello,

I have domain signed with DNSSEC: patryk.one.pl
The issue is, the parent one.pl is completely void of DNSSEC support (and
it will probably never get fixed).

Therefore:
- . is signed
- .pl is signed, no DS for .one.pl
- .one.pl is NOT signed, no DNSKEY, no DS for .patryk.one.pl
- .patryk.one.pl is signed

My domain is registered with dlv.isc.org, but this not important anymore,
as they announced closing down.

Have a look here:
http://dnsviz.net/d/patryk.one.pl/dnssec/

The issue is dnsmasq is returning BOGUS instead of INSECURE. In consequence
the domain does not resolve.
I believe it is in contradiction with RFC:
https://tools.ietf.org/html/rfc4035#section-5.1

It should mark BOGUS only if top-bottom validation determies DS in parent
but missing DNSKEY in child.

Current behaviour is promoting a race condition, when the domain owner
enabled DNSSEC, but didn't upload DS to parent and/or it didn't propagate.

The same situation was few years ago, when TLDs were gradually enabled,
when for a while they were signed with DNSKEY without DS being set on
parent, only to be put several months later. There are still unsigned TLDs
and I think they will stop being resolved completely when this happens
again.

Google Public DNS behaviour is correct.

-- 
Patryk Szczygłowski
___
Dnsmasq-discuss mailing list
Dnsmasq-discuss@lists.thekelleys.org.uk
http://lists.thekelleys.org.uk/mailman/listinfo/dnsmasq-discuss

Re: [Dnsmasq-discuss] [PATCH] Logging of dhcp_script output

[Petr Mensik]

Well yes, you can redirect output to any file you want. It is not configurable 
however. And it cannot reuse any logging configuration you already have. You 
cannot use journalctl to list errors for example. You have to create place for 
dnsmasq to write that log and rotate it in regular intervals.

This solution is good for debugging your new script for the first time. It does 
not seem to good solution, if you want to log any problems in your long running 
service. Dnsmasq is used by libvirt for example, to provide DNS and DHCP on 
virtual subnet.

--
Petr Menšík
Software Engineer
Red Hat, http://www.redhat.com/
email: pemen...@redhat.com  PGP: 65C6C973


- Original Message -
From: "Alex Xu" 
To: dnsmasq-discuss@lists.thekelleys.org.uk
Sent: Friday, March 24, 2017 7:19:04 PM
Subject: Re: [Dnsmasq-discuss] [PATCH] Logging of dhcp_script output

On Fri, 24 Mar 2017 13:38:17 -0400 (EDT)
Petr Mensik  wrote:

> Hi!
> 
> Some guys using dnsmasq in virtual machines and OpenStack use custom
> dhcp_script to manage leases of clients. However they complain if
> there is anything wrong with them, then are just told broken pipe and
> no information.
> 
> We understand it should not produce any output under normal
> operation. But it would be really helpful if at least anything was
> visible in logs. Especially for errors happening under rare
> circumstances. I have prepared patch to forward events from helper.
> It prevents SIGPIPE receiving if script does write anything. And logs
> it from dnsmasq. It seems very handy to me.
> 
> It was not simple to forward it to main log. I would like opinions if
> it is useful or dangerous. Do you consider it worth merging Simon?
> 
> Best Regards,
> Petr
> --
> Petr Menšík
> Software Engineer
> Red Hat, http://www.redhat.com/
> email: pemen...@redhat.com  PGP: 65C6C973
> 

you could also just put "exec >/var/log/whatever 2>&1" at the start of
your script. hell, you can even do "exec > >(logger) 2>&1" if you want.

___
Dnsmasq-discuss mailing list
Dnsmasq-discuss@lists.thekelleys.org.uk
http://lists.thekelleys.org.uk/mailman/listinfo/dnsmasq-discuss

___
Dnsmasq-discuss mailing list
Dnsmasq-discuss@lists.thekelleys.org.uk
http://lists.thekelleys.org.uk/mailman/listinfo/dnsmasq-discuss