Hi,
Not sure where the problem is... maybe others can reproduce this.
When using bugs.gentoo.org with dnsmasq and dnssec enabled, I cannot
access attachments.
The attachments are forwarded to a CNAME, for example:
---
546330.bugs.gentoo.org. 60 IN CNAME bugs-gossamer.gentoo.org.
bugs-gossamer.gentoo.org. 300 IN CNAME gannet.gentoo.org.
gannet.gentoo.org. 604800 IN A 204.187.15.4
---
When trying to access without dnssec all is ok:
---
Apr 21 20:19:04 [dnsmasq] query[A] 546330.bugs.gentoo.org from 127.0.0.1
Apr 21 20:19:04 [dnsmasq] forwarded 546330.bugs.gentoo.org to 192.168.1.1
Apr 21 20:19:04 [dnsmasq] validation result is INSECURE
Apr 21 20:19:04 [dnsmasq] reply 546330.bugs.gentoo.org is CNAME
Apr 21 20:19:04 [dnsmasq] reply bugs-gossamer.gentoo.org is CNAME
Apr 21 20:19:04 [dnsmasq] reply gannet.gentoo.org is 204.187.15.4
---
When trying to access with dnssec, notice the validation result is
BOGUS, no result is returned:
---
Apr 21 20:09:33 [dnsmasq] query[A] 546330.bugs.gentoo.org from 127.0.0.1
Apr 21 20:09:33 [dnsmasq] forwarded 546330.bugs.gentoo.org to 10.38.5.26
Apr 21 20:09:33 [dnsmasq] dnssec-query[DNSKEY] gentoo.org to 10.38.5.26
Apr 21 20:09:33 [dnsmasq] dnssec-query[DS] gentoo.org to 10.38.5.26
Apr 21 20:09:33 [dnsmasq] dnssec-query[DNSKEY] org to 10.38.5.26
Apr 21 20:09:33 [dnsmasq] dnssec-query[DS] org to 10.38.5.26
Apr 21 20:09:33 [dnsmasq] dnssec-query[DNSKEY] . to 10.38.5.26
Apr 21 20:09:33 [dnsmasq] reply . is DNSKEY keytag 19036
Apr 21 20:09:33 [dnsmasq] reply . is DNSKEY keytag 48613
Apr 21 20:09:33 [dnsmasq] reply org is DS keytag 21366
- Last output repeated twice -
Apr 21 20:09:33 [dnsmasq] reply org is DNSKEY keytag 3213
Apr 21 20:09:33 [dnsmasq] reply org is DNSKEY keytag 21366
Apr 21 20:09:33 [dnsmasq] reply org is DNSKEY keytag 9795
Apr 21 20:09:33 [dnsmasq] reply org is DNSKEY keytag 34023
Apr 21 20:09:33 [dnsmasq] reply gentoo.org is DS keytag 46873
- Last output repeated twice -
Apr 21 20:09:33 [dnsmasq] reply gentoo.org is DNSKEY keytag 52980
Apr 21 20:09:33 [dnsmasq] reply gentoo.org is DNSKEY keytag 46873
Apr 21 20:09:33 [dnsmasq] validation result is BOGUS
Apr 21 20:09:33 [dnsmasq] reply 546330.bugs.gentoo.org is CNAME
Apr 21 20:09:33 [dnsmasq] reply bugs-gossamer.gentoo.org is CNAME
Apr 21 20:09:33 [dnsmasq] reply gannet.gentoo.org is 204.187.15.4
---
Maybe it is local issue of the dns I am using (I have no access to
it), but maybe there is a issue at infra.
Regards,
Alon Bar-Lev.