Re: [Dnsmasq-discuss] Google's DNS and Insecure DS reply received, do upstream DNS servers support DNSSEC?
; <<>> DiG 9.10.3-P4-Ubuntu <<>> @8.8.8.8 +dnssec DS myqnapcloud.com ; (1 server found) ;; global options: +cmd ;; Got answer: ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 58059 ;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 1, ADDITIONAL: 1 ;; OPT PSEUDOSECTION: ; EDNS: version: 0, flags: do; udp: 512 ;; QUESTION SECTION: ;myqnapcloud.com. IN DS ;; ANSWER SECTION: myqnapcloud.com.599 IN CNAME qcloud-pr-frontend-102539.us-east-1.elb.amazonaws.com. ;; AUTHORITY SECTION: us-east-1.elb.amazonaws.com. 23 IN SOA ns-1119.awsdns-11.org. awsdns-hostmaster.amazon.com. 1 7200 900 1209600 60 ;; Query time: 90 msec ;; SERVER: 8.8.8.8#53(8.8.8.8) ;; WHEN: Sun Jul 29 22:38:26 BST 2018 ;; MSG SIZE rcvd: 194 Is all wrong. Even if there's a CNAME at the root of the zone, there should also be a DS record there. (DS records are special and can co-exist with a CNAME http://dnsviz.net/d/myqnapcloud.com/dnssec/ lights up red too. TL;DR I think that problem is the configuration of that domain/zone. Cheers, Simon. On 28/07/18 18:48, Kevin Darbyshire-Bryant wrote: > Greetings! > > This isn’t a new problem but curiosity/frustration has now got the better of > me. I’ve a QNAP NAS box which registers itself under > ‘waldorfdb.myqnapcloud.com’ with both IPv4 & IPv6 addresses. > > My home lan router provides DHCP & DNS service courtesy dnsmasq. Sometimes > my local browser is unable to resolve the above domain name and the “Insecure > DS reply received” message is seen in the router’s syslog: > > Sat Jul 28 18:13:49 2018 daemon.info dnsmasq[21675]: 1087 > 2a02:c7f:1231:2000::dc83/57269 query[A] waldorfdb.myqnapcloud.com from > 2a02:c7f:1231:2000::dc83 > Sat Jul 28 18:13:49 2018 daemon.info dnsmasq[21675]: 1087 > 2a02:c7f:1231:2000::dc83/57269 forwarded waldorfdb.myqnapcloud.com to 8.8.4.4 > Sat Jul 28 18:13:49 2018 daemon.info dnsmasq[21675]: * > 2a02:c7f:1231:2000::dc83/57269 dnssec-query[DS] myqnapcloud.com to 8.8.4.4 > Sat Jul 28 18:13:49 2018 daemon.warn dnsmasq[21675]: Insecure DS reply > received, do upstream DNS servers support DNSSEC? > Sat Jul 28 18:13:49 2018 daemon.info dnsmasq[21675]: * > 2a02:c7f:1231:2000::dc83/57269 reply myqnapcloud.com is BOGUS DS > Sat Jul 28 18:13:49 2018 daemon.info dnsmasq[21675]: 1087 > 2a02:c7f:1231:2000::dc83/57269 validation waldorfdb.myqnapcloud.com is BOGUS > Sat Jul 28 18:13:49 2018 daemon.info dnsmasq[21675]: 1087 > 2a02:c7f:1231:2000::dc83/57269 reply waldorfdb.myqnapcloud.com is > 151.227.238.60 > Sat Jul 28 18:13:49 2018 daemon.info dnsmasq[21675]: 1088 > 192.168.219.142/51181 query[A] waldorfdb.myqnapcloud.com from 192.168.219.142 > Sat Jul 28 18:13:49 2018 daemon.info dnsmasq[21675]: 1088 > 192.168.219.142/51181 forwarded waldorfdb.myqnapcloud.com to 8.8.4.4 > Sat Jul 28 18:13:49 2018 daemon.info dnsmasq[21675]: * 192.168.219.142/51181 > dnssec-query[DS] myqnapcloud.com to 8.8.4.4 > Sat Jul 28 18:13:50 2018 daemon.warn dnsmasq[21675]: Insecure DS reply > received, do upstream DNS servers support DNSSEC? > Sat Jul 28 18:13:50 2018 daemon.info dnsmasq[21675]: * 192.168.219.142/51181 > reply myqnapcloud.com is BOGUS DS > Sat Jul 28 18:13:50 2018 daemon.info dnsmasq[21675]: 1088 > 192.168.219.142/51181 validation waldorfdb.myqnapcloud.com is BOGUS > Sat Jul 28 18:13:50 2018 daemon.info dnsmasq[21675]: 1088 > 192.168.219.142/51181 reply waldorfdb.myqnapcloud.com is 151.227.238.60 > > Curiously a few minutes later and all is well, or well enough that my client > gets an answer: > > Sat Jul 28 18:16:24 2018 daemon.info dnsmasq[21675]: 1121 > 2a02:c7f:1231:2000::dc83/51183 query[A] waldorfdb.myqnapcloud.com from > 2a02:c7f:1231:2000::dc83 > Sat Jul 28 18:16:24 2018 daemon.info dnsmasq[21675]: 1121 > 2a02:c7f:1231:2000::dc83/51183 forwarded waldorfdb.myqnapcloud.com to > 2001:4860:4860::8844 > Sat Jul 28 18:16:25 2018 daemon.info dnsmasq[21675]: * > 2a02:c7f:1231:2000::dc83/51183 dnssec-query[DS] myqnapcloud.com to > 2001:4860:4860::8844 > Sat Jul 28 18:16:25 2018 daemon.warn dnsmasq[21675]: Insecure DS reply > received, do upstream DNS servers support DNSSEC? > Sat Jul 28 18:16:25 2018 daemon.info dnsmasq[21675]: * > 2a02:c7f:1231:2000::dc83/51183 reply myqnapcloud.com is BOGUS DS > Sat Jul 28 18:16:25 2018 daemon.info dnsmasq[21675]: 1121 > 2a02:c7f:1231:2000::dc83/51183 validation waldorfdb.myqnapcloud.com is BOGUS > Sat Jul 28 18:16:25 2018 daemon.info dnsmasq[21675]: 1121 > 2a02:c7f:1231:2000::dc83/51183 reply waldorfdb.myqnapcloud.com is > 151.227.238.60 > Sat Jul 28 18:16:25 2018 daemon.info dnsmasq[21675]: 1122 > 192.168.219.142/59027 query[A] waldorfdb.myqnapcloud.com from 192.168.219.142 > Sat Jul 28 18:16:25 2018 daemon.info dnsmasq[21675]: 1122 > 192.168.219.142/59027 forwarded waldorfdb.myqnapcloud.com to > 2001:4860:4860::8844 > Sat Jul 28 18:16:25 2018 daemon.info dnsmasq[21675]: * 192.168.219.142/59027 > dnssec-query[DS] myqnapcloud.com to 2001:4860:4860::8844
[Dnsmasq-discuss] Google's DNS and Insecure DS reply received, do upstream DNS servers support DNSSEC?
Greetings! This isn’t a new problem but curiosity/frustration has now got the better of me. I’ve a QNAP NAS box which registers itself under ‘waldorfdb.myqnapcloud.com’ with both IPv4 & IPv6 addresses. My home lan router provides DHCP & DNS service courtesy dnsmasq. Sometimes my local browser is unable to resolve the above domain name and the “Insecure DS reply received” message is seen in the router’s syslog: Sat Jul 28 18:13:49 2018 daemon.info dnsmasq[21675]: 1087 2a02:c7f:1231:2000::dc83/57269 query[A] waldorfdb.myqnapcloud.com from 2a02:c7f:1231:2000::dc83 Sat Jul 28 18:13:49 2018 daemon.info dnsmasq[21675]: 1087 2a02:c7f:1231:2000::dc83/57269 forwarded waldorfdb.myqnapcloud.com to 8.8.4.4 Sat Jul 28 18:13:49 2018 daemon.info dnsmasq[21675]: * 2a02:c7f:1231:2000::dc83/57269 dnssec-query[DS] myqnapcloud.com to 8.8.4.4 Sat Jul 28 18:13:49 2018 daemon.warn dnsmasq[21675]: Insecure DS reply received, do upstream DNS servers support DNSSEC? Sat Jul 28 18:13:49 2018 daemon.info dnsmasq[21675]: * 2a02:c7f:1231:2000::dc83/57269 reply myqnapcloud.com is BOGUS DS Sat Jul 28 18:13:49 2018 daemon.info dnsmasq[21675]: 1087 2a02:c7f:1231:2000::dc83/57269 validation waldorfdb.myqnapcloud.com is BOGUS Sat Jul 28 18:13:49 2018 daemon.info dnsmasq[21675]: 1087 2a02:c7f:1231:2000::dc83/57269 reply waldorfdb.myqnapcloud.com is 151.227.238.60 Sat Jul 28 18:13:49 2018 daemon.info dnsmasq[21675]: 1088 192.168.219.142/51181 query[A] waldorfdb.myqnapcloud.com from 192.168.219.142 Sat Jul 28 18:13:49 2018 daemon.info dnsmasq[21675]: 1088 192.168.219.142/51181 forwarded waldorfdb.myqnapcloud.com to 8.8.4.4 Sat Jul 28 18:13:49 2018 daemon.info dnsmasq[21675]: * 192.168.219.142/51181 dnssec-query[DS] myqnapcloud.com to 8.8.4.4 Sat Jul 28 18:13:50 2018 daemon.warn dnsmasq[21675]: Insecure DS reply received, do upstream DNS servers support DNSSEC? Sat Jul 28 18:13:50 2018 daemon.info dnsmasq[21675]: * 192.168.219.142/51181 reply myqnapcloud.com is BOGUS DS Sat Jul 28 18:13:50 2018 daemon.info dnsmasq[21675]: 1088 192.168.219.142/51181 validation waldorfdb.myqnapcloud.com is BOGUS Sat Jul 28 18:13:50 2018 daemon.info dnsmasq[21675]: 1088 192.168.219.142/51181 reply waldorfdb.myqnapcloud.com is 151.227.238.60 Curiously a few minutes later and all is well, or well enough that my client gets an answer: Sat Jul 28 18:16:24 2018 daemon.info dnsmasq[21675]: 1121 2a02:c7f:1231:2000::dc83/51183 query[A] waldorfdb.myqnapcloud.com from 2a02:c7f:1231:2000::dc83 Sat Jul 28 18:16:24 2018 daemon.info dnsmasq[21675]: 1121 2a02:c7f:1231:2000::dc83/51183 forwarded waldorfdb.myqnapcloud.com to 2001:4860:4860::8844 Sat Jul 28 18:16:25 2018 daemon.info dnsmasq[21675]: * 2a02:c7f:1231:2000::dc83/51183 dnssec-query[DS] myqnapcloud.com to 2001:4860:4860::8844 Sat Jul 28 18:16:25 2018 daemon.warn dnsmasq[21675]: Insecure DS reply received, do upstream DNS servers support DNSSEC? Sat Jul 28 18:16:25 2018 daemon.info dnsmasq[21675]: * 2a02:c7f:1231:2000::dc83/51183 reply myqnapcloud.com is BOGUS DS Sat Jul 28 18:16:25 2018 daemon.info dnsmasq[21675]: 1121 2a02:c7f:1231:2000::dc83/51183 validation waldorfdb.myqnapcloud.com is BOGUS Sat Jul 28 18:16:25 2018 daemon.info dnsmasq[21675]: 1121 2a02:c7f:1231:2000::dc83/51183 reply waldorfdb.myqnapcloud.com is 151.227.238.60 Sat Jul 28 18:16:25 2018 daemon.info dnsmasq[21675]: 1122 192.168.219.142/59027 query[A] waldorfdb.myqnapcloud.com from 192.168.219.142 Sat Jul 28 18:16:25 2018 daemon.info dnsmasq[21675]: 1122 192.168.219.142/59027 forwarded waldorfdb.myqnapcloud.com to 2001:4860:4860::8844 Sat Jul 28 18:16:25 2018 daemon.info dnsmasq[21675]: * 192.168.219.142/59027 dnssec-query[DS] myqnapcloud.com to 2001:4860:4860::8844 Sat Jul 28 18:16:25 2018 daemon.info dnsmasq[21675]: * 192.168.219.142/59027 reply myqnapcloud.com is no DS Sat Jul 28 18:16:25 2018 daemon.info dnsmasq[21675]: 1122 192.168.219.142/59027 validation result is INSECURE Sat Jul 28 18:16:25 2018 daemon.info dnsmasq[21675]: 1122 192.168.219.142/59027 reply waldorfdb.myqnapcloud.com is 151.227.238.60 Sat Jul 28 18:16:25 2018 daemon.info dnsmasq[21675]: 1123 2a02:c7f:1231:2000::dc83/59028 query[] waldorfdb.myqnapcloud.com from 2a02:c7f:1231:2000::dc83 Sat Jul 28 18:16:25 2018 daemon.info dnsmasq[21675]: 1123 2a02:c7f:1231:2000::dc83/59028 forwarded waldorfdb.myqnapcloud.com to 2001:4860:4860::8844 Sat Jul 28 18:16:25 2018 daemon.info dnsmasq[21675]: 1123 2a02:c7f:1231:2000::dc83/59028 validation result is INSECURE Sat Jul 28 18:16:25 2018 daemon.info dnsmasq[21675]: 1123 2a02:c7f:1231:2000::dc83/59028 reply waldorfdb.myqnapcloud.com is 2a02:c7f:1231:2000::c I only seem to see this behaviour if using Google's public DNS. Anyone else seeing this sort of thing? Help! :-) I’m at your disposal. Cheers, Kevin D-B 012C ACB2 28C6 C53E 9775 9123 B3A2 389B 9DE2 334A signature.asc Description: Message signed with OpenPGP ___ Dnsmasq-discuss mailing
