Re: [Dnsmasq-discuss] DNSSEC failure after some time
Also, insure that TCP connections to 8.8.8.8 and 8.8.4.4 are not being blocked in your firewall. Cheers, Simon. On 03/07/17 09:35, Hamish Moffatt wrote: > On 29/06/17 09:42, Hamish Moffatt wrote: >> On 29/06/17 07:05, Simon Kelley wrote: >>> Your text says 2.75, but the log says 2.76. There's a significant >>> difference between the two in DNSSEC code. >>> >>> First thing to do is to turn on --log-queries and arrange for the (quite >>> large) logs to go somewhere safe, if the router has limited storage. >>> That should give you information about why the validation is failing. >>> >> >> I meant 2.76. I will start logging and report back if I see the >> failure again (but two weeks in a row now). > > This just happened again. Here are the logs from a couple of DNS lookups > after it failed. I redacted the hostnames and IPs, hope it still makes > sense. > > > ul 3 16:58:36 router daemon.info dnsmasq[10149]: query[A] foo2.foo.com > from 192.168.42.2 > Jul 3 16:58:36 router daemon.info dnsmasq[10149]: forwarded > foo2.foo.com to 8.8.4.4 > Jul 3 16:58:37 router daemon.info dnsmasq[10149]: query[A] foo2.foo.com > from 192.168.42.2 > Jul 3 16:58:37 router daemon.info dnsmasq[10149]: forwarded > foo2.foo.com to 8.8.4.4 > Jul 3 16:58:37 router daemon.info dnsmasq[10149]: dnssec-query[DNSKEY] > foo.com to 8.8.4.4 > Jul 3 16:58:37 router daemon.info dnsmasq[10149]: reply foo2.foo.com is > > Jul 3 16:58:37 router daemon.info dnsmasq[10149]: reply foo.com is 2.2.2.2 > Jul 3 16:58:37 router daemon.info dnsmasq[11219]: query[A] foo2.foo.com > from 192.168.42.2 > Jul 3 16:58:38 router daemon.info dnsmasq[11219]: forwarded > foo2.foo.com to 8.8.4.4 > Jul 3 16:58:38 router daemon.info dnsmasq[11219]: dnssec-query[DNSKEY] > foo.com to 8.8.4.4 > Jul 3 16:58:38 router daemon.info dnsmasq[11219]: validation > foo2.foo.com is ABANDONED > Jul 3 16:58:38 router daemon.info dnsmasq[11219]: reply foo2.foo.com is > > Jul 3 16:58:38 router daemon.info dnsmasq[11219]: reply foo.com is 2.2.2.2 > Jul 3 16:58:38 router daemon.info dnsmasq[10149]: query[A] foo2.foo.com > from 192.168.42.2 > Jul 3 16:58:38 router daemon.info dnsmasq[10149]: forwarded > foo2.foo.com to 8.8.4.4 > Jul 3 16:58:38 router daemon.info dnsmasq[10149]: dnssec-query[DNSKEY] > foo.com to 8.8.4.4 > Jul 3 16:58:38 router daemon.info dnsmasq[10149]: reply foo2.foo.com is > > Jul 3 16:58:38 router daemon.info dnsmasq[10149]: reply foo.com is 2.2.2.2 > Jul 3 16:58:38 router daemon.info dnsmasq[10149]: dnssec-query[DNSKEY] > foo.com to 8.8.4.4 > Jul 3 16:58:38 router daemon.info dnsmasq[10149]: reply foo2.foo.com is > > Jul 3 16:58:38 router daemon.info dnsmasq[10149]: reply foo.com is 2.2.2.2 > Jul 3 16:58:38 router daemon.info dnsmasq[11220]: query[A] foo2.foo.com > from 192.168.42.2 > Jul 3 16:58:38 router daemon.info dnsmasq[11220]: forwarded > foo2.foo.com to 8.8.4.4 > Jul 3 16:58:38 router daemon.info dnsmasq[11220]: dnssec-query[DNSKEY] > foo.com to 8.8.4.4 > Jul 3 16:58:38 router daemon.info dnsmasq[11220]: validation > foo2.foo.com is ABANDONED > Jul 3 16:58:38 router daemon.info dnsmasq[11220]: reply foo2.foo.com is > > Jul 3 16:58:38 router daemon.info dnsmasq[11220]: reply foo.com is 2.2.2.2 > Jul 3 16:58:38 router daemon.info dnsmasq[10149]: query[A] > foo2.foo.com.cloud.net.au from 192.168.42.2 > Jul 3 16:58:38 router daemon.info dnsmasq[10149]: forwarded > foo2.foo.com.cloud.net.au to 8.8.4.4 > Jul 3 16:58:38 router daemon.info dnsmasq[10149]: validation result is > INSECURE > Jul 3 16:58:38 router daemon.info dnsmasq[10149]: reply > foo2.foo.com.cloud.net.au is NXDOMAIN > > Jul 3 17:00:48 router daemon.info dnsmasq[11425]: dnssec-query[DNSKEY] > foo.com to 8.8.8.8 > Jul 3 17:00:48 router daemon.info dnsmasq[11425]: validation > dev.foo.com is ABANDONED > Jul 3 17:00:48 router daemon.info dnsmasq[11425]: reply dev.foo.com is > > Jul 3 17:00:48 router daemon.info dnsmasq[11425]: reply > office-gw.foo.com.au is 1.1.1.1 > Jul 3 17:00:48 router daemon.info dnsmasq[10149]: query[A] > dev.foo.com.cloud.net.au from 192.168.42.2 > Jul 3 17:00:48 router daemon.info dnsmasq[10149]: cached > dev.foo.com.cloud.net.au is NXDOMAIN > Jul 3 17:00:53 router daemon.info dnsmasq[10149]: query[A] > docs.google.com from 192.168.42.2 > Jul 3 17:00:53 router daemon.info dnsmasq[10149]: forwarded > docs.google.com to 8.8.8.8 > Jul 3 17:00:53 router daemon.info dnsmasq[10149]: validation result is > INSECURE > Jul 3 17:00:53 router daemon.info dnsmasq[10149]: reply docs.google.com > is 216.58.200.110 > Jul 3 17:01:02 router daemon.info dnsmasq[10149]: query[A] foo1.foo.com > from 192.168.42.2 > Jul 3 17:01:02 router daemon.info dnsmasq[10149]: forwarded > foo1.foo.com to 8.8.8.8 > Jul 3 17:01:02 router daemon.info dnsmasq[10149]: dnssec-query[DNSKEY] > foo.com to 8.8.8.8 > Jul 3 17:01:03 router daemon.info dnsmasq[10149]: reply foo1.foo.com is > 2.2.2.2 > Jul 3 17:01:03 router daemon.info dnsmasq[11427]: query[A]
Re: [Dnsmasq-discuss] DNSSEC failure after some time
Clue: these failures are happening with DNS queries sent over TCP (The PIDS tell the story, 10149 is the main daemon, and 11219, 11220 are child processes handling TCP connections.) I think this is fixed in 2.77 by http://thekelleys.org.uk/gitweb/?p=dnsmasq.git;a=commit;h=361dfe515879b5adabf3702b8be692c4fb6bf3a7 Is there any way you could upgrade to 2.77? Cheers, Simon. On 03/07/17 09:35, Hamish Moffatt wrote: > On 29/06/17 09:42, Hamish Moffatt wrote: >> On 29/06/17 07:05, Simon Kelley wrote: >>> Your text says 2.75, but the log says 2.76. There's a significant >>> difference between the two in DNSSEC code. >>> >>> First thing to do is to turn on --log-queries and arrange for the (quite >>> large) logs to go somewhere safe, if the router has limited storage. >>> That should give you information about why the validation is failing. >>> >> >> I meant 2.76. I will start logging and report back if I see the >> failure again (but two weeks in a row now). > > This just happened again. Here are the logs from a couple of DNS lookups > after it failed. I redacted the hostnames and IPs, hope it still makes > sense. > > > ul 3 16:58:36 router daemon.info dnsmasq[10149]: query[A] foo2.foo.com > from 192.168.42.2 > Jul 3 16:58:36 router daemon.info dnsmasq[10149]: forwarded > foo2.foo.com to 8.8.4.4 > Jul 3 16:58:37 router daemon.info dnsmasq[10149]: query[A] foo2.foo.com > from 192.168.42.2 > Jul 3 16:58:37 router daemon.info dnsmasq[10149]: forwarded > foo2.foo.com to 8.8.4.4 > Jul 3 16:58:37 router daemon.info dnsmasq[10149]: dnssec-query[DNSKEY] > foo.com to 8.8.4.4 > Jul 3 16:58:37 router daemon.info dnsmasq[10149]: reply foo2.foo.com is > > Jul 3 16:58:37 router daemon.info dnsmasq[10149]: reply foo.com is 2.2.2.2 > Jul 3 16:58:37 router daemon.info dnsmasq[11219]: query[A] foo2.foo.com > from 192.168.42.2 > Jul 3 16:58:38 router daemon.info dnsmasq[11219]: forwarded > foo2.foo.com to 8.8.4.4 > Jul 3 16:58:38 router daemon.info dnsmasq[11219]: dnssec-query[DNSKEY] > foo.com to 8.8.4.4 > Jul 3 16:58:38 router daemon.info dnsmasq[11219]: validation > foo2.foo.com is ABANDONED > Jul 3 16:58:38 router daemon.info dnsmasq[11219]: reply foo2.foo.com is > > Jul 3 16:58:38 router daemon.info dnsmasq[11219]: reply foo.com is 2.2.2.2 > Jul 3 16:58:38 router daemon.info dnsmasq[10149]: query[A] foo2.foo.com > from 192.168.42.2 > Jul 3 16:58:38 router daemon.info dnsmasq[10149]: forwarded > foo2.foo.com to 8.8.4.4 > Jul 3 16:58:38 router daemon.info dnsmasq[10149]: dnssec-query[DNSKEY] > foo.com to 8.8.4.4 > Jul 3 16:58:38 router daemon.info dnsmasq[10149]: reply foo2.foo.com is > > Jul 3 16:58:38 router daemon.info dnsmasq[10149]: reply foo.com is 2.2.2.2 > Jul 3 16:58:38 router daemon.info dnsmasq[10149]: dnssec-query[DNSKEY] > foo.com to 8.8.4.4 > Jul 3 16:58:38 router daemon.info dnsmasq[10149]: reply foo2.foo.com is > > Jul 3 16:58:38 router daemon.info dnsmasq[10149]: reply foo.com is 2.2.2.2 > Jul 3 16:58:38 router daemon.info dnsmasq[11220]: query[A] foo2.foo.com > from 192.168.42.2 > Jul 3 16:58:38 router daemon.info dnsmasq[11220]: forwarded > foo2.foo.com to 8.8.4.4 > Jul 3 16:58:38 router daemon.info dnsmasq[11220]: dnssec-query[DNSKEY] > foo.com to 8.8.4.4 > Jul 3 16:58:38 router daemon.info dnsmasq[11220]: validation > foo2.foo.com is ABANDONED > Jul 3 16:58:38 router daemon.info dnsmasq[11220]: reply foo2.foo.com is > > Jul 3 16:58:38 router daemon.info dnsmasq[11220]: reply foo.com is 2.2.2.2 > Jul 3 16:58:38 router daemon.info dnsmasq[10149]: query[A] > foo2.foo.com.cloud.net.au from 192.168.42.2 > Jul 3 16:58:38 router daemon.info dnsmasq[10149]: forwarded > foo2.foo.com.cloud.net.au to 8.8.4.4 > Jul 3 16:58:38 router daemon.info dnsmasq[10149]: validation result is > INSECURE > Jul 3 16:58:38 router daemon.info dnsmasq[10149]: reply > foo2.foo.com.cloud.net.au is NXDOMAIN > > Jul 3 17:00:48 router daemon.info dnsmasq[11425]: dnssec-query[DNSKEY] > foo.com to 8.8.8.8 > Jul 3 17:00:48 router daemon.info dnsmasq[11425]: validation > dev.foo.com is ABANDONED > Jul 3 17:00:48 router daemon.info dnsmasq[11425]: reply dev.foo.com is > > Jul 3 17:00:48 router daemon.info dnsmasq[11425]: reply > office-gw.foo.com.au is 1.1.1.1 > Jul 3 17:00:48 router daemon.info dnsmasq[10149]: query[A] > dev.foo.com.cloud.net.au from 192.168.42.2 > Jul 3 17:00:48 router daemon.info dnsmasq[10149]: cached > dev.foo.com.cloud.net.au is NXDOMAIN > Jul 3 17:00:53 router daemon.info dnsmasq[10149]: query[A] > docs.google.com from 192.168.42.2 > Jul 3 17:00:53 router daemon.info dnsmasq[10149]: forwarded > docs.google.com to 8.8.8.8 > Jul 3 17:00:53 router daemon.info dnsmasq[10149]: validation result is > INSECURE > Jul 3 17:00:53 router daemon.info dnsmasq[10149]: reply docs.google.com > is 216.58.200.110 > Jul 3 17:01:02 router daemon.info dnsmasq[10149]: query[A] foo1.foo.com > from 192.168.42.2 > Jul 3 17:01:02 router daemon.info dnsmasq[10149]: forwarded >
Re: [Dnsmasq-discuss] DNSSEC failure after some time
On 03/07/17 18:35, Hamish Moffatt wrote: Jul 3 16:58:38 router daemon.info dnsmasq[11219]: validation foo2.foo.com is ABANDONED Now I have this again 24 hours later, and I also have some saying validation foo2.foo.com is BOGUS Hamish ___ Dnsmasq-discuss mailing list Dnsmasq-discuss@lists.thekelleys.org.uk http://lists.thekelleys.org.uk/mailman/listinfo/dnsmasq-discuss
Re: [Dnsmasq-discuss] DNSSEC failure after some time
On 29/06/17 07:05, Simon Kelley wrote: Your text says 2.75, but the log says 2.76. There's a significant difference between the two in DNSSEC code. First thing to do is to turn on --log-queries and arrange for the (quite large) logs to go somewhere safe, if the router has limited storage. That should give you information about why the validation is failing. I meant 2.76. I will start logging and report back if I see the failure again (but two weeks in a row now). thanks Hamish ___ Dnsmasq-discuss mailing list Dnsmasq-discuss@lists.thekelleys.org.uk http://lists.thekelleys.org.uk/mailman/listinfo/dnsmasq-discuss