[gentoo-dev] bugs.gentoo.org and dnssec

[Alon Bar-Lev]

Hi,

Not sure where the problem is... maybe others can reproduce this.

When using bugs.gentoo.org with dnsmasq and dnssec enabled, I cannot
access attachments.

The attachments are forwarded to a CNAME, for example:
---
546330.bugs.gentoo.org. 60  IN  CNAME   bugs-gossamer.gentoo.org.
bugs-gossamer.gentoo.org. 300   IN  CNAME   gannet.gentoo.org.
gannet.gentoo.org.  604800  IN  A   204.187.15.4
---

When trying to access without dnssec all is ok:
---
Apr 21 20:19:04 [dnsmasq] query[A] 546330.bugs.gentoo.org from 127.0.0.1
Apr 21 20:19:04 [dnsmasq] forwarded 546330.bugs.gentoo.org to 192.168.1.1
Apr 21 20:19:04 [dnsmasq] validation result is INSECURE
Apr 21 20:19:04 [dnsmasq] reply 546330.bugs.gentoo.org is CNAME
Apr 21 20:19:04 [dnsmasq] reply bugs-gossamer.gentoo.org is CNAME
Apr 21 20:19:04 [dnsmasq] reply gannet.gentoo.org is 204.187.15.4
---

When trying to access with dnssec, notice the validation result is
BOGUS, no result is returned:
---
Apr 21 20:09:33 [dnsmasq] query[A] 546330.bugs.gentoo.org from 127.0.0.1
Apr 21 20:09:33 [dnsmasq] forwarded 546330.bugs.gentoo.org to 10.38.5.26
Apr 21 20:09:33 [dnsmasq] dnssec-query[DNSKEY] gentoo.org to 10.38.5.26
Apr 21 20:09:33 [dnsmasq] dnssec-query[DS] gentoo.org to 10.38.5.26
Apr 21 20:09:33 [dnsmasq] dnssec-query[DNSKEY] org to 10.38.5.26
Apr 21 20:09:33 [dnsmasq] dnssec-query[DS] org to 10.38.5.26
Apr 21 20:09:33 [dnsmasq] dnssec-query[DNSKEY] . to 10.38.5.26
Apr 21 20:09:33 [dnsmasq] reply . is DNSKEY keytag 19036
Apr 21 20:09:33 [dnsmasq] reply . is DNSKEY keytag 48613
Apr 21 20:09:33 [dnsmasq] reply org is DS keytag 21366
- Last output repeated twice -
Apr 21 20:09:33 [dnsmasq] reply org is DNSKEY keytag 3213
Apr 21 20:09:33 [dnsmasq] reply org is DNSKEY keytag 21366
Apr 21 20:09:33 [dnsmasq] reply org is DNSKEY keytag 9795
Apr 21 20:09:33 [dnsmasq] reply org is DNSKEY keytag 34023
Apr 21 20:09:33 [dnsmasq] reply gentoo.org is DS keytag 46873
- Last output repeated twice -
Apr 21 20:09:33 [dnsmasq] reply gentoo.org is DNSKEY keytag 52980
Apr 21 20:09:33 [dnsmasq] reply gentoo.org is DNSKEY keytag 46873
Apr 21 20:09:33 [dnsmasq] validation result is BOGUS
Apr 21 20:09:33 [dnsmasq] reply 546330.bugs.gentoo.org is CNAME
Apr 21 20:09:33 [dnsmasq] reply bugs-gossamer.gentoo.org is CNAME
Apr 21 20:09:33 [dnsmasq] reply gannet.gentoo.org is 204.187.15.4
---

Maybe it is local issue of the dns I am using (I have no access to
it), but maybe there is a issue at infra.

Regards,
Alon Bar-Lev.

Re: [gentoo-dev] bugs.gentoo.org and dnssec

[James Cloos]

 AB == Alon Bar-Lev alo...@gentoo.org writes:

AB When using bugs.gentoo.org with dnsmasq and dnssec enabled, I cannot
AB access attachments.

It works here using a local unbound.

But dnsmasq had some growth pains when it added dnssec verification, due
to its bottom-up rather than the ususal top-down approach.

AIUI, the current release should work.

If you see that issue with 2.72 or later, they'd like to hear about it.

Their list is:  dnsmasq-disc...@lists.thekelleys.org.uk

-JimC
-- 
James Cloos cl...@jhcloos.com OpenPGP: 0x997A9F17ED7DAEA6

Re: [gentoo-dev] bugs.gentoo.org and dnssec

[Alon Bar-Lev]

On 21 April 2015 at 20:40, James Cloos cl...@jhcloos.com wrote:
 AB == Alon Bar-Lev alo...@gentoo.org writes:

 AB When using bugs.gentoo.org with dnsmasq and dnssec enabled, I cannot
 AB access attachments.

 It works here using a local unbound.

 But dnsmasq had some growth pains when it added dnssec verification, due
 to its bottom-up rather than the ususal top-down approach.

 AIUI, the current release should work.

 If you see that issue with 2.72 or later, they'd like to hear about it.

 Their list is:  dnsmasq-disc...@lists.thekelleys.org.uk


Thanks!
I suspected that.
Yes, I am using 2.72, I will send message.