Re: [Dnsmasq-discuss] DNSSEC and Mozilla domains not working
On 15/07/16 00:13, mmmfotografie wrote: > On 14-7-2016 23:22, Simon Kelley wrote: >> On 12/07/16 00:17, mmmfotografie wrote: >>> On 11-7-2016 23:08, Simon Kelley wrote: I just tried all those domains using 2.76 and 8.8.8.8 upstream and all behaved correctly. 194.109.9.99 won't talk to me, so I can't try that. The upstream is clearly answering the direct question OK, but the stalling of some of the DNSSEC queries needed to verify it. That could be an upstream problem, or a problem with the authoritative servers for the domain. ftp.mozilla.org is signed, but it's a CNAME to cloudfront.org, so the DS from .org proving that cloudfront.org is not signed is also required. Are you still seeing the problem now, or has this resolved itself? Cheers, Simon. >>> Thanks Simon for your reply and testing. I have now tried with 8.8.8.8 >>> and I have the same problem. >>> >>> I see that the DNSSEC on firefox.com and mozilla.com are now disabled >>> and I don't get a "ad" on them when I use dig and the output of DNSmask >>> states INSECURE. So maybe Mozilla is now working around that problem. >>> >>> mozilla.org will not resolve on 8.8.8.8 or 194.109.9.9 and the >>> ftp.mozilla goes indeed through Cloudfront bit is not secure. >>> . >>> . >>> . >>> I have been testing a few setting...a lot of settings and combinations >>> in the past hours and have now way to get a good response from DNSmasq. >>> >>> I first use "/dig +dnssec +multi mozilla.org @127.0.0.1/" which seems to >>> have more patience in waiting for a response. DNSmasq seems to do only >>> one try when using dig and not three as with nslookup. DNSmasq is >>> thinking about four seconds and then give a valid response using dig. >>> >>> dnsmasq: dnssec-query[DNSKEY] mozilla.org to 8.8.8.8 >>> dnsmasq: reply mozilla.org is DNSKEY keytag 22205, algo 7 >>> dnsmasq: reply mozilla.org is DNSKEY keytag 65337, algo 7 >>> dnsmasq: reply mozilla.org is DNSKEY keytag 44421, algo 7 >>> dnsmasq: reply mozilla.org is DNSKEY keytag 42422, algo 7 >>> dnsmasq: validation result is SECURE >>> dnsmasq: reply mozilla.org is 63.245.215.20 >>> >>> So on my standard upstream server: >>> dnsmasq: dnssec-query[DNSKEY] mozilla.org to 194.109.9.99 >>> dnsmasq: reply mozilla.org is DNSKEY keytag 65337, algo 7 >>> dnsmasq: reply mozilla.org is DNSKEY keytag 22205, algo 7 >>> dnsmasq: reply mozilla.org is DNSKEY keytag 44421, algo 7 >>> dnsmasq: reply mozilla.org is DNSKEY keytag 42422, algo 7 >>> dnsmasq: validation result is SECURE >>> dnsmasq: reply mozilla.org is 63.245.215.20 >>> >>> Now the information is in the cache and a next request is instant. >>> >>> Also ftp.mozilla.org is instant now but insecure: >>> >>> dnsmasq: forwarded ftp.mozilla.org to 194.109.9.99 >>> dnsmasq: validation result is INSECURE >>> dnsmasq: reply ftp.mozilla.org is >>> dnsmasq: reply d34chcsvb7ug62.cloudfront.net is 52.85.250.4 >>> dnsmasq: query[] ftp.mozilla.org from 192.168.21.190 >>> dnsmasq: cached ftp.mozilla.org is >>> dnsmasq: forwarded ftp.mozilla.org to 194.109.9.99 >>> dnsmasq: validation result is INSECURE >>> dnsmasq: reply ftp.mozilla.org is >>> >>> And if I don't use dig mozilla.org or ftp.mozilla.org before the >>> nslookup, it times out again: >>> >>> dnsmasq: reply . is DNSKEY keytag 46551, algo 8 >>> dnsmasq: reply . is DNSKEY keytag 19036, algo 8 >>> dnsmasq: reply org is DS keytag 9795, algo 7, digest 1 >>> dnsmasq: reply org is DS keytag 9795, algo 7, digest 2 >>> dnsmasq: dnssec-query[DS] mozilla.org to 194.109.9.99 >>> dnsmasq: dnssec-query[DNSKEY] org to 194.109.9.99 >>> dnsmasq: reply org is DNSKEY keytag 3177, algo 7 >>> dnsmasq: reply org is DNSKEY keytag 2097, algo 7 >>> dnsmasq: reply org is DNSKEY keytag 9795, algo 7 >>> dnsmasq: reply org is DNSKEY keytag 17883, algo 7 >>> dnsmasq: reply mozilla.org is DS keytag 44421, algo 7, digest 1 >>> dnsmasq: dnssec-query[DNSKEY] mozilla.org to 194.109.9.99 >>> dnsmasq: query[] ftp.mozilla.org from 192.168.21.190 >>> dnsmasq: forwarded ftp.mozilla.org to 194.109.9.99 >>> dnsmasq: dnssec-query[DNSKEY] mozilla.org to 194.109.9.99 >>> dnsmasq: query[A] ftp.mozilla.org from 192.168.21.190 >>> dnsmasq: forwarded ftp.mozilla.org to 194.109.9.99 >>> dnsmasq: dnssec-query[DNSKEY] mozilla.org to 194.109.9.99 >>> dnsmasq: query[] ftp.mozilla.org from 192.168.21.190 >>> dnsmasq: forwarded ftp.mozilla.org to 194.109.9.99 >>> dnsmasq: dnssec-query[DNSKEY] mozilla.org to 194.109.9.99 >>> >> >> So the problem seems to be that the reply to the query for DNSKEY on >> mozilla.org is not being replied to in a reliable way. >> >> One possibility is that the reply is quite large (886 bytes) and >> probably larger than most DNS replies. It has been known for firewalls >> to do crazy things like rejecting all DNS packets >512 bytes, so it's >> worth exploring that a bit more. >> >> >> What happens when you use dig to make the same query? >> >> dig @8.8.8.8 dnskey mozilla.o
Re: [Dnsmasq-discuss] DNSSEC and Mozilla domains not working
On 15-7-2016 1:13, mmmfotografie wrote: On 14-7-2016 23:22, Simon Kelley wrote: On 12/07/16 00:17, mmmfotografie wrote: On 11-7-2016 23:08, Simon Kelley wrote: I just tried all those domains using 2.76 and 8.8.8.8 upstream and all behaved correctly. 194.109.9.99 won't talk to me, so I can't try that. The upstream is clearly answering the direct question OK, but the stalling of some of the DNSSEC queries needed to verify it. That could be an upstream problem, or a problem with the authoritative servers for the domain. ftp.mozilla.org is signed, but it's a CNAME to cloudfront.org, so the DS from .org proving that cloudfront.org is not signed is also required. Are you still seeing the problem now, or has this resolved itself? Cheers, Simon. Thanks Simon for your reply and testing. I have now tried with 8.8.8.8 and I have the same problem. I see that the DNSSEC on firefox.com and mozilla.com are now disabled and I don't get a "ad" on them when I use dig and the output of DNSmask states INSECURE. So maybe Mozilla is now working around that problem. mozilla.org will not resolve on 8.8.8.8 or 194.109.9.9 and the ftp.mozilla goes indeed through Cloudfront bit is not secure. . . . I have been testing a few setting...a lot of settings and combinations in the past hours and have now way to get a good response from DNSmasq. I first use "/dig +dnssec +multi mozilla.org @127.0.0.1/" which seems to have more patience in waiting for a response. DNSmasq seems to do only one try when using dig and not three as with nslookup. DNSmasq is thinking about four seconds and then give a valid response using dig. dnsmasq: dnssec-query[DNSKEY] mozilla.org to 8.8.8.8 dnsmasq: reply mozilla.org is DNSKEY keytag 22205, algo 7 dnsmasq: reply mozilla.org is DNSKEY keytag 65337, algo 7 dnsmasq: reply mozilla.org is DNSKEY keytag 44421, algo 7 dnsmasq: reply mozilla.org is DNSKEY keytag 42422, algo 7 dnsmasq: validation result is SECURE dnsmasq: reply mozilla.org is 63.245.215.20 So on my standard upstream server: dnsmasq: dnssec-query[DNSKEY] mozilla.org to 194.109.9.99 dnsmasq: reply mozilla.org is DNSKEY keytag 65337, algo 7 dnsmasq: reply mozilla.org is DNSKEY keytag 22205, algo 7 dnsmasq: reply mozilla.org is DNSKEY keytag 44421, algo 7 dnsmasq: reply mozilla.org is DNSKEY keytag 42422, algo 7 dnsmasq: validation result is SECURE dnsmasq: reply mozilla.org is 63.245.215.20 Now the information is in the cache and a next request is instant. Also ftp.mozilla.org is instant now but insecure: dnsmasq: forwarded ftp.mozilla.org to 194.109.9.99 dnsmasq: validation result is INSECURE dnsmasq: reply ftp.mozilla.org is dnsmasq: reply d34chcsvb7ug62.cloudfront.net is 52.85.250.4 dnsmasq: query[] ftp.mozilla.org from 192.168.21.190 dnsmasq: cached ftp.mozilla.org is dnsmasq: forwarded ftp.mozilla.org to 194.109.9.99 dnsmasq: validation result is INSECURE dnsmasq: reply ftp.mozilla.org is And if I don't use dig mozilla.org or ftp.mozilla.org before the nslookup, it times out again: dnsmasq: reply . is DNSKEY keytag 46551, algo 8 dnsmasq: reply . is DNSKEY keytag 19036, algo 8 dnsmasq: reply org is DS keytag 9795, algo 7, digest 1 dnsmasq: reply org is DS keytag 9795, algo 7, digest 2 dnsmasq: dnssec-query[DS] mozilla.org to 194.109.9.99 dnsmasq: dnssec-query[DNSKEY] org to 194.109.9.99 dnsmasq: reply org is DNSKEY keytag 3177, algo 7 dnsmasq: reply org is DNSKEY keytag 2097, algo 7 dnsmasq: reply org is DNSKEY keytag 9795, algo 7 dnsmasq: reply org is DNSKEY keytag 17883, algo 7 dnsmasq: reply mozilla.org is DS keytag 44421, algo 7, digest 1 dnsmasq: dnssec-query[DNSKEY] mozilla.org to 194.109.9.99 dnsmasq: query[] ftp.mozilla.org from 192.168.21.190 dnsmasq: forwarded ftp.mozilla.org to 194.109.9.99 dnsmasq: dnssec-query[DNSKEY] mozilla.org to 194.109.9.99 dnsmasq: query[A] ftp.mozilla.org from 192.168.21.190 dnsmasq: forwarded ftp.mozilla.org to 194.109.9.99 dnsmasq: dnssec-query[DNSKEY] mozilla.org to 194.109.9.99 dnsmasq: query[] ftp.mozilla.org from 192.168.21.190 dnsmasq: forwarded ftp.mozilla.org to 194.109.9.99 dnsmasq: dnssec-query[DNSKEY] mozilla.org to 194.109.9.99 So the problem seems to be that the reply to the query for DNSKEY on mozilla.org is not being replied to in a reliable way. One possibility is that the reply is quite large (886 bytes) and probably larger than most DNS replies. It has been known for firewalls to do crazy things like rejecting all DNS packets >512 bytes, so it's worth exploring that a bit more. What happens when you use dig to make the same query? dig @8.8.8.8 dnskey mozilla.org dig @194.109.9.99 dnskey mozilla.org Cheers, Simon. Underneath you will find the outputs of the two dig requests: ; <<>> DiG 9.9.5-9+deb8u6-Raspbian <<>> @8.8.8.8 dnskey mozilla.org ; (1 server found) ;; global options: +cmd ;; Got answer: ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 36160 ;; flags: qr rd ra ad; QUERY: 1, ANSWER: 4, AUTHORITY: 0, ADDITIONAL: 1 ;; OPT PSEUDOSEC
Re: [Dnsmasq-discuss] DNSSEC and Mozilla domains not working
On 14-7-2016 23:22, Simon Kelley wrote: On 12/07/16 00:17, mmmfotografie wrote: On 11-7-2016 23:08, Simon Kelley wrote: I just tried all those domains using 2.76 and 8.8.8.8 upstream and all behaved correctly. 194.109.9.99 won't talk to me, so I can't try that. The upstream is clearly answering the direct question OK, but the stalling of some of the DNSSEC queries needed to verify it. That could be an upstream problem, or a problem with the authoritative servers for the domain. ftp.mozilla.org is signed, but it's a CNAME to cloudfront.org, so the DS from .org proving that cloudfront.org is not signed is also required. Are you still seeing the problem now, or has this resolved itself? Cheers, Simon. Thanks Simon for your reply and testing. I have now tried with 8.8.8.8 and I have the same problem. I see that the DNSSEC on firefox.com and mozilla.com are now disabled and I don't get a "ad" on them when I use dig and the output of DNSmask states INSECURE. So maybe Mozilla is now working around that problem. mozilla.org will not resolve on 8.8.8.8 or 194.109.9.9 and the ftp.mozilla goes indeed through Cloudfront bit is not secure. . . . I have been testing a few setting...a lot of settings and combinations in the past hours and have now way to get a good response from DNSmasq. I first use "/dig +dnssec +multi mozilla.org @127.0.0.1/" which seems to have more patience in waiting for a response. DNSmasq seems to do only one try when using dig and not three as with nslookup. DNSmasq is thinking about four seconds and then give a valid response using dig. dnsmasq: dnssec-query[DNSKEY] mozilla.org to 8.8.8.8 dnsmasq: reply mozilla.org is DNSKEY keytag 22205, algo 7 dnsmasq: reply mozilla.org is DNSKEY keytag 65337, algo 7 dnsmasq: reply mozilla.org is DNSKEY keytag 44421, algo 7 dnsmasq: reply mozilla.org is DNSKEY keytag 42422, algo 7 dnsmasq: validation result is SECURE dnsmasq: reply mozilla.org is 63.245.215.20 So on my standard upstream server: dnsmasq: dnssec-query[DNSKEY] mozilla.org to 194.109.9.99 dnsmasq: reply mozilla.org is DNSKEY keytag 65337, algo 7 dnsmasq: reply mozilla.org is DNSKEY keytag 22205, algo 7 dnsmasq: reply mozilla.org is DNSKEY keytag 44421, algo 7 dnsmasq: reply mozilla.org is DNSKEY keytag 42422, algo 7 dnsmasq: validation result is SECURE dnsmasq: reply mozilla.org is 63.245.215.20 Now the information is in the cache and a next request is instant. Also ftp.mozilla.org is instant now but insecure: dnsmasq: forwarded ftp.mozilla.org to 194.109.9.99 dnsmasq: validation result is INSECURE dnsmasq: reply ftp.mozilla.org is dnsmasq: reply d34chcsvb7ug62.cloudfront.net is 52.85.250.4 dnsmasq: query[] ftp.mozilla.org from 192.168.21.190 dnsmasq: cached ftp.mozilla.org is dnsmasq: forwarded ftp.mozilla.org to 194.109.9.99 dnsmasq: validation result is INSECURE dnsmasq: reply ftp.mozilla.org is And if I don't use dig mozilla.org or ftp.mozilla.org before the nslookup, it times out again: dnsmasq: reply . is DNSKEY keytag 46551, algo 8 dnsmasq: reply . is DNSKEY keytag 19036, algo 8 dnsmasq: reply org is DS keytag 9795, algo 7, digest 1 dnsmasq: reply org is DS keytag 9795, algo 7, digest 2 dnsmasq: dnssec-query[DS] mozilla.org to 194.109.9.99 dnsmasq: dnssec-query[DNSKEY] org to 194.109.9.99 dnsmasq: reply org is DNSKEY keytag 3177, algo 7 dnsmasq: reply org is DNSKEY keytag 2097, algo 7 dnsmasq: reply org is DNSKEY keytag 9795, algo 7 dnsmasq: reply org is DNSKEY keytag 17883, algo 7 dnsmasq: reply mozilla.org is DS keytag 44421, algo 7, digest 1 dnsmasq: dnssec-query[DNSKEY] mozilla.org to 194.109.9.99 dnsmasq: query[] ftp.mozilla.org from 192.168.21.190 dnsmasq: forwarded ftp.mozilla.org to 194.109.9.99 dnsmasq: dnssec-query[DNSKEY] mozilla.org to 194.109.9.99 dnsmasq: query[A] ftp.mozilla.org from 192.168.21.190 dnsmasq: forwarded ftp.mozilla.org to 194.109.9.99 dnsmasq: dnssec-query[DNSKEY] mozilla.org to 194.109.9.99 dnsmasq: query[] ftp.mozilla.org from 192.168.21.190 dnsmasq: forwarded ftp.mozilla.org to 194.109.9.99 dnsmasq: dnssec-query[DNSKEY] mozilla.org to 194.109.9.99 So the problem seems to be that the reply to the query for DNSKEY on mozilla.org is not being replied to in a reliable way. One possibility is that the reply is quite large (886 bytes) and probably larger than most DNS replies. It has been known for firewalls to do crazy things like rejecting all DNS packets >512 bytes, so it's worth exploring that a bit more. What happens when you use dig to make the same query? dig @8.8.8.8 dnskey mozilla.org dig @194.109.9.99 dnskey mozilla.org Cheers, Simon. Underneath you will find the outputs of the two dig requests: ; <<>> DiG 9.9.5-9+deb8u6-Raspbian <<>> @8.8.8.8 dnskey mozilla.org ; (1 server found) ;; global options: +cmd ;; Got answer: ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 36160 ;; flags: qr rd ra ad; QUERY: 1, ANSWER: 4, AUTHORITY: 0, ADDITIONAL: 1 ;; OPT PSEUDOSECTION: ; EDNS: version: 0, flags:; udp: 512 ;;
Re: [Dnsmasq-discuss] DNSSEC and Mozilla domains not working
On 12/07/16 00:17, mmmfotografie wrote: > On 11-7-2016 23:08, Simon Kelley wrote: >> I just tried all those domains using 2.76 and 8.8.8.8 upstream and all >> behaved correctly. 194.109.9.99 won't talk to me, so I can't try that. >> >> The upstream is clearly answering the direct question OK, but the >> stalling of some of the DNSSEC queries needed to verify it. That could >> be an upstream problem, or a problem with the authoritative servers for >> the domain. ftp.mozilla.org is signed, but it's a CNAME to >> cloudfront.org, so the DS from .org proving that cloudfront.org is not >> signed is also required. >> >> Are you still seeing the problem now, or has this resolved itself? >> >> Cheers, >> >> Simon. > > Thanks Simon for your reply and testing. I have now tried with 8.8.8.8 > and I have the same problem. > > I see that the DNSSEC on firefox.com and mozilla.com are now disabled > and I don't get a "ad" on them when I use dig and the output of DNSmask > states INSECURE. So maybe Mozilla is now working around that problem. > > mozilla.org will not resolve on 8.8.8.8 or 194.109.9.9 and the > ftp.mozilla goes indeed through Cloudfront bit is not secure. > . > . > . > I have been testing a few setting...a lot of settings and combinations > in the past hours and have now way to get a good response from DNSmasq. > > I first use "/dig +dnssec +multi mozilla.org @127.0.0.1/" which seems to > have more patience in waiting for a response. DNSmasq seems to do only > one try when using dig and not three as with nslookup. DNSmasq is > thinking about four seconds and then give a valid response using dig. > > dnsmasq: dnssec-query[DNSKEY] mozilla.org to 8.8.8.8 > dnsmasq: reply mozilla.org is DNSKEY keytag 22205, algo 7 > dnsmasq: reply mozilla.org is DNSKEY keytag 65337, algo 7 > dnsmasq: reply mozilla.org is DNSKEY keytag 44421, algo 7 > dnsmasq: reply mozilla.org is DNSKEY keytag 42422, algo 7 > dnsmasq: validation result is SECURE > dnsmasq: reply mozilla.org is 63.245.215.20 > > So on my standard upstream server: > dnsmasq: dnssec-query[DNSKEY] mozilla.org to 194.109.9.99 > dnsmasq: reply mozilla.org is DNSKEY keytag 65337, algo 7 > dnsmasq: reply mozilla.org is DNSKEY keytag 22205, algo 7 > dnsmasq: reply mozilla.org is DNSKEY keytag 44421, algo 7 > dnsmasq: reply mozilla.org is DNSKEY keytag 42422, algo 7 > dnsmasq: validation result is SECURE > dnsmasq: reply mozilla.org is 63.245.215.20 > > Now the information is in the cache and a next request is instant. > > Also ftp.mozilla.org is instant now but insecure: > > dnsmasq: forwarded ftp.mozilla.org to 194.109.9.99 > dnsmasq: validation result is INSECURE > dnsmasq: reply ftp.mozilla.org is > dnsmasq: reply d34chcsvb7ug62.cloudfront.net is 52.85.250.4 > dnsmasq: query[] ftp.mozilla.org from 192.168.21.190 > dnsmasq: cached ftp.mozilla.org is > dnsmasq: forwarded ftp.mozilla.org to 194.109.9.99 > dnsmasq: validation result is INSECURE > dnsmasq: reply ftp.mozilla.org is > > And if I don't use dig mozilla.org or ftp.mozilla.org before the > nslookup, it times out again: > > dnsmasq: reply . is DNSKEY keytag 46551, algo 8 > dnsmasq: reply . is DNSKEY keytag 19036, algo 8 > dnsmasq: reply org is DS keytag 9795, algo 7, digest 1 > dnsmasq: reply org is DS keytag 9795, algo 7, digest 2 > dnsmasq: dnssec-query[DS] mozilla.org to 194.109.9.99 > dnsmasq: dnssec-query[DNSKEY] org to 194.109.9.99 > dnsmasq: reply org is DNSKEY keytag 3177, algo 7 > dnsmasq: reply org is DNSKEY keytag 2097, algo 7 > dnsmasq: reply org is DNSKEY keytag 9795, algo 7 > dnsmasq: reply org is DNSKEY keytag 17883, algo 7 > dnsmasq: reply mozilla.org is DS keytag 44421, algo 7, digest 1 > dnsmasq: dnssec-query[DNSKEY] mozilla.org to 194.109.9.99 > dnsmasq: query[] ftp.mozilla.org from 192.168.21.190 > dnsmasq: forwarded ftp.mozilla.org to 194.109.9.99 > dnsmasq: dnssec-query[DNSKEY] mozilla.org to 194.109.9.99 > dnsmasq: query[A] ftp.mozilla.org from 192.168.21.190 > dnsmasq: forwarded ftp.mozilla.org to 194.109.9.99 > dnsmasq: dnssec-query[DNSKEY] mozilla.org to 194.109.9.99 > dnsmasq: query[] ftp.mozilla.org from 192.168.21.190 > dnsmasq: forwarded ftp.mozilla.org to 194.109.9.99 > dnsmasq: dnssec-query[DNSKEY] mozilla.org to 194.109.9.99 > So the problem seems to be that the reply to the query for DNSKEY on mozilla.org is not being replied to in a reliable way. One possibility is that the reply is quite large (886 bytes) and probably larger than most DNS replies. It has been known for firewalls to do crazy things like rejecting all DNS packets >512 bytes, so it's worth exploring that a bit more. What happens when you use dig to make the same query? dig @8.8.8.8 dnskey mozilla.org dig @194.109.9.99 dnskey mozilla.org Cheers, Simon. signature.asc Description: OpenPGP digital signature ___ Dnsmasq-discuss mailing list Dnsmasq-discuss@lists.thekelleys.org.uk http://lists.thekelleys.org.uk/mailman/listinfo/dnsmasq
Re: [Dnsmasq-discuss] DNSSEC and Mozilla domains not working
On 11-7-2016 23:08, Simon Kelley wrote: I just tried all those domains using 2.76 and 8.8.8.8 upstream and all behaved correctly. 194.109.9.99 won't talk to me, so I can't try that. The upstream is clearly answering the direct question OK, but the stalling of some of the DNSSEC queries needed to verify it. That could be an upstream problem, or a problem with the authoritative servers for the domain. ftp.mozilla.org is signed, but it's a CNAME to cloudfront.org, so the DS from .org proving that cloudfront.org is not signed is also required. Are you still seeing the problem now, or has this resolved itself? Cheers, Simon. Thanks Simon for your reply and testing. I have now tried with 8.8.8.8 and I have the same problem. I see that the DNSSEC on firefox.com and mozilla.com are now disabled and I don't get a "ad" on them when I use dig and the output of DNSmask states INSECURE. So maybe Mozilla is now working around that problem. mozilla.org will not resolve on 8.8.8.8 or 194.109.9.9 and the ftp.mozilla goes indeed through Cloudfront bit is not secure. . . . I have been testing a few setting...a lot of settings and combinations in the past hours and have now way to get a good response from DNSmasq. I first use "/dig +dnssec +multi mozilla.org @127.0.0.1/" which seems to have more patience in waiting for a response. DNSmasq seems to do only one try when using dig and not three as with nslookup. DNSmasq is thinking about four seconds and then give a valid response using dig. dnsmasq: dnssec-query[DNSKEY] mozilla.org to 8.8.8.8 dnsmasq: reply mozilla.org is DNSKEY keytag 22205, algo 7 dnsmasq: reply mozilla.org is DNSKEY keytag 65337, algo 7 dnsmasq: reply mozilla.org is DNSKEY keytag 44421, algo 7 dnsmasq: reply mozilla.org is DNSKEY keytag 42422, algo 7 dnsmasq: validation result is SECURE dnsmasq: reply mozilla.org is 63.245.215.20 So on my standard upstream server: dnsmasq: dnssec-query[DNSKEY] mozilla.org to 194.109.9.99 dnsmasq: reply mozilla.org is DNSKEY keytag 65337, algo 7 dnsmasq: reply mozilla.org is DNSKEY keytag 22205, algo 7 dnsmasq: reply mozilla.org is DNSKEY keytag 44421, algo 7 dnsmasq: reply mozilla.org is DNSKEY keytag 42422, algo 7 dnsmasq: validation result is SECURE dnsmasq: reply mozilla.org is 63.245.215.20 Now the information is in the cache and a next request is instant. Also ftp.mozilla.org is instant now but insecure: dnsmasq: forwarded ftp.mozilla.org to 194.109.9.99 dnsmasq: validation result is INSECURE dnsmasq: reply ftp.mozilla.org is dnsmasq: reply d34chcsvb7ug62.cloudfront.net is 52.85.250.4 dnsmasq: query[] ftp.mozilla.org from 192.168.21.190 dnsmasq: cached ftp.mozilla.org is dnsmasq: forwarded ftp.mozilla.org to 194.109.9.99 dnsmasq: validation result is INSECURE dnsmasq: reply ftp.mozilla.org is And if I don't use dig mozilla.org or ftp.mozilla.org before the nslookup, it times out again: dnsmasq: reply . is DNSKEY keytag 46551, algo 8 dnsmasq: reply . is DNSKEY keytag 19036, algo 8 dnsmasq: reply org is DS keytag 9795, algo 7, digest 1 dnsmasq: reply org is DS keytag 9795, algo 7, digest 2 dnsmasq: dnssec-query[DS] mozilla.org to 194.109.9.99 dnsmasq: dnssec-query[DNSKEY] org to 194.109.9.99 dnsmasq: reply org is DNSKEY keytag 3177, algo 7 dnsmasq: reply org is DNSKEY keytag 2097, algo 7 dnsmasq: reply org is DNSKEY keytag 9795, algo 7 dnsmasq: reply org is DNSKEY keytag 17883, algo 7 dnsmasq: reply mozilla.org is DS keytag 44421, algo 7, digest 1 dnsmasq: dnssec-query[DNSKEY] mozilla.org to 194.109.9.99 dnsmasq: query[] ftp.mozilla.org from 192.168.21.190 dnsmasq: forwarded ftp.mozilla.org to 194.109.9.99 dnsmasq: dnssec-query[DNSKEY] mozilla.org to 194.109.9.99 dnsmasq: query[A] ftp.mozilla.org from 192.168.21.190 dnsmasq: forwarded ftp.mozilla.org to 194.109.9.99 dnsmasq: dnssec-query[DNSKEY] mozilla.org to 194.109.9.99 dnsmasq: query[] ftp.mozilla.org from 192.168.21.190 dnsmasq: forwarded ftp.mozilla.org to 194.109.9.99 dnsmasq: dnssec-query[DNSKEY] mozilla.org to 194.109.9.99 Cheers, Marcel ___ Dnsmasq-discuss mailing list Dnsmasq-discuss@lists.thekelleys.org.uk http://lists.thekelleys.org.uk/mailman/listinfo/dnsmasq-discuss
Re: [Dnsmasq-discuss] DNSSEC and Mozilla domains not working
On 10/07/16 09:21, Marcel Mutter wrote: > I have enabled a few weeks ago DNSSEC and all seems to be working. > Yesterday I wanted to visit Mozilla.org and nothing happened. I see in > that the request is being sent to the upstream nameserver however > nothing is displayed by dnsmasq as response, I am running then "dnsmasq > -d" with log enabled so I can see in realtime the output. > > dnsmasq: query[A] ftp.mozilla.org from 192.168.xxx.xxx > dnsmasq: forwarded ftp.mozilla.org to 194.109.9.99 > dnsmasq: dnssec-query[DS] org to 194.109.9.99 > dnsmasq: dnssec-query[DNSKEY] . to 194.109.9.99 > dnsmasq: reply . is DNSKEY keytag 19036, algo 8 > dnsmasq: reply . is DNSKEY keytag 60615, algo 8 > dnsmasq: reply . is DNSKEY keytag 46551, algo 8 > dnsmasq: reply org is DS keytag 9795, algo 7, digest 1 > dnsmasq: reply org is DS keytag 9795, algo 7, digest 2 > dnsmasq: dnssec-query[DS] mozilla.org to 194.109.9.99 > dnsmasq: dnssec-query[DNSKEY] org to 194.109.9.99 > dnsmasq: reply org is DNSKEY keytag 2097, algo 7 > dnsmasq: reply org is DNSKEY keytag 3177, algo 7 > dnsmasq: reply org is DNSKEY keytag 9795, algo 7 > dnsmasq: reply org is DNSKEY keytag 17883, algo 7 > dnsmasq: reply mozilla.org is DS keytag 44421, algo 7, digest 1 > dnsmasq: dnssec-query[DNSKEY] mozilla.org to 194.109.9.99 > > Also the same with mozilla.org and mozilla.com and firefox.com > > The upstreamserver 194.109.9.99 is using Unbound. > > When I directly to the upstream nameserver I get a good response. I am > running dnsmasq 2.76-1 for Debian on the moment and I have updated it a > few a hours ago from 2.72-3. > I just tried all those domains using 2.76 and 8.8.8.8 upstream and all behaved correctly. 194.109.9.99 won't talk to me, so I can't try that. The upstream is clearly answering the direct question OK, but the stalling of some of the DNSSEC queries needed to verify it. That could be an upstream problem, or a problem with the authoritative servers for the domain. ftp.mozilla.org is signed, but it's a CNAME to cloudfront.org, so the DS from .org proving that cloudfront.org is not signed is also required. Are you still seeing the problem now, or has this resolved itself? Cheers, Simon. ___ Dnsmasq-discuss mailing list Dnsmasq-discuss@lists.thekelleys.org.uk http://lists.thekelleys.org.uk/mailman/listinfo/dnsmasq-discuss
[Dnsmasq-discuss] DNSSEC and Mozilla domains not working
I have enabled a few weeks ago DNSSEC and all seems to be working. Yesterday I wanted to visit Mozilla.org and nothing happened. I see in that the request is being sent to the upstream nameserver however nothing is displayed by dnsmasq as response, I am running then "dnsmasq -d" with log enabled so I can see in realtime the output. dnsmasq: query[A] ftp.mozilla.org from 192.168.xxx.xxx dnsmasq: forwarded ftp.mozilla.org to 194.109.9.99 dnsmasq: dnssec-query[DS] org to 194.109.9.99 dnsmasq: dnssec-query[DNSKEY] . to 194.109.9.99 dnsmasq: reply . is DNSKEY keytag 19036, algo 8 dnsmasq: reply . is DNSKEY keytag 60615, algo 8 dnsmasq: reply . is DNSKEY keytag 46551, algo 8 dnsmasq: reply org is DS keytag 9795, algo 7, digest 1 dnsmasq: reply org is DS keytag 9795, algo 7, digest 2 dnsmasq: dnssec-query[DS] mozilla.org to 194.109.9.99 dnsmasq: dnssec-query[DNSKEY] org to 194.109.9.99 dnsmasq: reply org is DNSKEY keytag 2097, algo 7 dnsmasq: reply org is DNSKEY keytag 3177, algo 7 dnsmasq: reply org is DNSKEY keytag 9795, algo 7 dnsmasq: reply org is DNSKEY keytag 17883, algo 7 dnsmasq: reply mozilla.org is DS keytag 44421, algo 7, digest 1 dnsmasq: dnssec-query[DNSKEY] mozilla.org to 194.109.9.99 Also the same with mozilla.org and mozilla.com and firefox.com The upstreamserver 194.109.9.99 is using Unbound. When I directly to the upstream nameserver I get a good response. I am running dnsmasq 2.76-1 for Debian on the moment and I have updated it a few a hours ago from 2.72-3. ___ Dnsmasq-discuss mailing list Dnsmasq-discuss@lists.thekelleys.org.uk http://lists.thekelleys.org.uk/mailman/listinfo/dnsmasq-discuss