Re: [Dnsmasq-discuss] DNSSEC failure for dagjeuitactie.nl

[Simon Kelley]

There's a CNAME at the root of the domain, which is not permissible, and
the root cause of the validation failure.


https://medium.freecodecamp.org/why-cant-a-domain-s-root-be-a-cname-8cbab38e5f5c

gives some reasons why this is not a good idea.

What actually happens is that dnsmasq makes a query for the DS record
for dagjeuitactie.nl and gets back the CNAME, rather than NSEC records
from the parenet proving that the DS doesn't work. It's arguable that
this is not sensible behaviour, but the it's what happens, and it makes
it impossible for dnsmasq to do validation.

The easiest way to fix this is almost certainly to fix the domain.


Cheers,

Simon.



On 26/10/2018 15:05, Willem Bargeman wrote:
> Hi Simon,
> 
> I received a message that the website dagjeuitactie.nl
>  was not working. When I do a dig for this
> domain the status is SERVFAIL.
> 
> dig dagjeuitactie.nl  @127.0.0.1
>  -p 5353
> 
> ; <<>> DiG 9.10.3-P4-Ubuntu <<>> dagjeuitactie.nl
>  @127.0.0.1  -p 5353
> ;; global options: +cmd
> ;; Got answer:
> ;; ->>HEADER<<- opcode: QUERY, status: SERVFAIL, id: 30367
> ;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 1
> 
> ;; OPT PSEUDOSECTION:
> ; EDNS: version: 0, flags: do; udp: 1452
> ;; QUESTION SECTION:
> ;dagjeuitactie.nl .              IN      A
> 
> ;; Query time: 101 msec
> ;; SERVER: 127.0.0.1#5353(127.0.0.1)
> ;; WHEN: Fri Oct 26 15:50:50 CEST 2018
> ;; MSG SIZE  rcvd: 45
> 
> In the log file I can see the following.
> 
> dnsmasq[5172]: query[A] dagjeuitactie.nl  from
> 127.0.0.1
> dnsmasq[5172]: forwarded dagjeuitactie.nl  to
> 127.0.1.1
> dnsmasq[5172]: validation dagjeuitactie.nl  is
> BOGUS
> 
> A query using the Cloudflare or Google DNS servers is working. 
> The domain name (dagjeuitactie.nl  and
> www.dagjeactie.nl ) is a CNAME
> for dagjeuit-web.queueup.eu .
> Dagjeuitactie.nl is not DNSSEC enabled. However, the
> domain dagjeuit-web.queueup.eu  is
> DNSSEC enabled. However this record is also a CNAME to a AWS server.
> 
> I'm not a DNSSEC expert but is this behavior correct? Is this a failure
> in Dnsmasq or is the domain not configured correctly.
> 
> Thank you!
> 
> Best regards,
> Willem Bargeman
> 
> ___
> Dnsmasq-discuss mailing list
> Dnsmasq-discuss@lists.thekelleys.org.uk
> http://lists.thekelleys.org.uk/mailman/listinfo/dnsmasq-discuss
> 

___
Dnsmasq-discuss mailing list
Dnsmasq-discuss@lists.thekelleys.org.uk
http://lists.thekelleys.org.uk/mailman/listinfo/dnsmasq-discuss

[Dnsmasq-discuss] DNSSEC failure for dagjeuitactie.nl

[Willem Bargeman]

Hi Simon,

I received a message that the website dagjeuitactie.nl was not working.
When I do a dig for this domain the status is SERVFAIL.

dig dagjeuitactie.nl @127.0.0.1 -p 5353

; <<>> DiG 9.10.3-P4-Ubuntu <<>> dagjeuitactie.nl @127.0.0.1 -p 5353
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: SERVFAIL, id: 30367
;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags: do; udp: 1452
;; QUESTION SECTION:
;dagjeuitactie.nl.  IN  A

;; Query time: 101 msec
;; SERVER: 127.0.0.1#5353(127.0.0.1)
;; WHEN: Fri Oct 26 15:50:50 CEST 2018
;; MSG SIZE  rcvd: 45

In the log file I can see the following.

dnsmasq[5172]: query[A] dagjeuitactie.nl from 127.0.0.1
dnsmasq[5172]: forwarded dagjeuitactie.nl to 127.0.1.1
dnsmasq[5172]: validation dagjeuitactie.nl is BOGUS

A query using the Cloudflare or Google DNS servers is working.
The domain name (dagjeuitactie.nl and www.dagjeactie.nl) is a CNAME for
dagjeuit-web.queueup.eu. Dagjeuitactie.nl is not DNSSEC enabled. However,
the domain dagjeuit-web.queueup.eu is DNSSEC enabled. However this record
is also a CNAME to a AWS server.

I'm not a DNSSEC expert but is this behavior correct? Is this a failure in
Dnsmasq or is the domain not configured correctly.

Thank you!

Best regards,
Willem Bargeman
___
Dnsmasq-discuss mailing list
Dnsmasq-discuss@lists.thekelleys.org.uk
http://lists.thekelleys.org.uk/mailman/listinfo/dnsmasq-discuss