Re: [Dnsmasq-discuss] Cannot look up disa.mil (dnssec related)

2018-10-22 Thread Neil Jerram
Something to do with the recent change of the root DNSSEC key?

(dnsmasq has the new key in its codebase, but perhaps your config
isn't pulling it in correctly?)
On Mon, Oct 22, 2018 at 6:23 PM Craig Andrews  wrote:
>
> I'm unable to look up *.disa.mil when using dnsmasq - I'm hoping that we
> can figure out why that is.
>
> I have dnsmasq configured to use Cloudflare's 1.1.1.1 as its upstream
> DNS server; dnsmasq is running on 192.168.0.1.
>
> Here are some a couple tests demonstrating the problem:
> --
> $ dig disa.mil @192.168.0.1 +dnssec +short
> 
> $ dig disa.mil @8.8.8.8 +dnssec +short
> 156.112.108.76
> A 8 2 7200 20181117145327 20181018145327 52983 disa.mil.
> dMS5WbQ5xJ0HuCBPZUkuoshf0A2n1tvxA75smhcFZNS5SHSOA0zsQaSc
> YOzNdu5gH6qFXA7TbKhPYN0RcPD+vVcmtfbzv3eJZfh4343IXlBznG6w
> aLaLt+kI6GGnPQ7skNWOcO4yLct+yaeNxTT95CZnHtwRUx3vzGHS3dJF GYc=
> [candrews@craigatwork vars]$ dig disa.mil @1.1.1.1 +dnssec +short
> 156.112.108.76
> --
> So looking it up using Google's 8.8.8.8 or Cloudflare's 1.1.1.1 with
> dnssec works, but not with dnsmasq.
>
> --
> # dnsmasq --version
> Dnsmasq version 2.80test3  Copyright (c) 2000-2018 Simon Kelley
> Compile time options: IPv6 GNU-getopt no-DBus no-i18n no-IDN DHCP DHCPv6
> no-Lua TFTP conntrack ipset auth DNSSEC no-ID loop-detect inotify
> dumpfile
>
> This software comes with ABSOLUTELY NO WARRANTY.
> Dnsmasq is free software, and you are welcome to redistribute it
> under the terms of the GNU General Public License, version 2 or 3.
> --
>
> Thanks in advance for your help and for this great software,
> ~Craig
>
> ___
> Dnsmasq-discuss mailing list
> Dnsmasq-discuss@lists.thekelleys.org.uk
> http://lists.thekelleys.org.uk/mailman/listinfo/dnsmasq-discuss

___
Dnsmasq-discuss mailing list
Dnsmasq-discuss@lists.thekelleys.org.uk
http://lists.thekelleys.org.uk/mailman/listinfo/dnsmasq-discuss


Re: [Dnsmasq-discuss] Cannot look up disa.mil (dnssec related)

2018-10-22 Thread Simon Kelley
On 22/10/2018 17:56, Craig Andrews wrote:
> I'm unable to look up *.disa.mil when using dnsmasq - I'm hoping that we
> can figure out why that is.
> 
> I have dnsmasq configured to use Cloudflare's 1.1.1.1 as its upstream
> DNS server; dnsmasq is running on 192.168.0.1.
> 
> Here are some a couple tests demonstrating the problem:
> --
> $ dig disa.mil @192.168.0.1 +dnssec +short
> 
> $ dig disa.mil @8.8.8.8 +dnssec +short
> 156.112.108.76
> A 8 2 7200 20181117145327 20181018145327 52983 disa.mil.
> dMS5WbQ5xJ0HuCBPZUkuoshf0A2n1tvxA75smhcFZNS5SHSOA0zsQaSc
> YOzNdu5gH6qFXA7TbKhPYN0RcPD+vVcmtfbzv3eJZfh4343IXlBznG6w
> aLaLt+kI6GGnPQ7skNWOcO4yLct+yaeNxTT95CZnHtwRUx3vzGHS3dJF GYc=
> [candrews@craigatwork vars]$ dig disa.mil @1.1.1.1 +dnssec +short
> 156.112.108.76
> --
> So looking it up using Google's 8.8.8.8 or Cloudflare's 1.1.1.1 with
> dnssec works, but not with dnsmasq.
> 
> --
> # dnsmasq --version
> Dnsmasq version 2.80test3  Copyright (c) 2000-2018 Simon Kelley
> Compile time options: IPv6 GNU-getopt no-DBus no-i18n no-IDN DHCP DHCPv6
> no-Lua TFTP conntrack ipset auth DNSSEC no-ID loop-detect inotify dumpfile
> 
> This software comes with ABSOLUTELY NO WARRANTY.
> Dnsmasq is free software, and you are welcome to redistribute it
> under the terms of the GNU General Public License, version 2 or 3.
> --
> 
> Thanks in advance for your help and for this great software,
> ~Craig

I can reproduce this, and checking with DNSviz doesn't show any problems
with the domain, so this could well be a dnsmasq/DNSSEC problem.

I'll try and find time to do some forensics on it in the next day or two.


Cheers,

Simon.




signature.asc
Description: OpenPGP digital signature
___
Dnsmasq-discuss mailing list
Dnsmasq-discuss@lists.thekelleys.org.uk
http://lists.thekelleys.org.uk/mailman/listinfo/dnsmasq-discuss


Re: [Dnsmasq-discuss] Cannot look up disa.mil (dnssec related)

2018-10-22 Thread Matthias Andree
Am 22.10.18 um 18:56 schrieb Craig Andrews:
> I'm unable to look up *.disa.mil when using dnsmasq - I'm hoping that
> we can figure out why that is.

Works for me with dnsmasq 2.80 (release) and a local unbound as upstream:

Unbound:

> $ dig disa.mil @127.0.0.1 +dnssec +short
> 156.112.108.76
> A 8 2 7200 20181117145327 20181018145327 52983 disa.mil.
> dMS5WbQ5xJ0HuCBPZUkuoshf0A2n1tvxA75smhcFZNS5SHSOA0zsQaSc
> YOzNdu5gH6qFXA7TbKhPYN0RcPD+vVcmtfbzv3eJZfh4343IXlBznG6w
> aLaLt+kI6GGnPQ7skNWOcO4yLct+yaeNxTT95CZnHtwRUx3vzGHS3dJF GYc=
Dnsmasq:

> $ dig disa.mil @192.168.33.129 +dnssec +short
> 156.112.108.76
> A 8 2 7200 20181117145327 20181018145327 52983 disa.mil.
> dMS5WbQ5xJ0HuCBPZUkuoshf0A2n1tvxA75smhcFZNS5SHSOA0zsQaSc
> YOzNdu5gH6qFXA7TbKhPYN0RcPD+vVcmtfbzv3eJZfh4343IXlBznG6w
> aLaLt+kI6GGnPQ7skNWOcO4yLct+yaeNxTT95CZnHtwRUx3vzGHS3dJF GYc=


Note however that 1.1.1.1 does NOT return dnssec info, just the bare
address, which may already be the point... use it in dig's @... option
to see the difference to Google's DNS resolver.

HTH,
Matthias


___
Dnsmasq-discuss mailing list
Dnsmasq-discuss@lists.thekelleys.org.uk
http://lists.thekelleys.org.uk/mailman/listinfo/dnsmasq-discuss


[Dnsmasq-discuss] Cannot look up disa.mil (dnssec related)

2018-10-22 Thread Craig Andrews
I'm unable to look up *.disa.mil when using dnsmasq - I'm hoping that we 
can figure out why that is.


I have dnsmasq configured to use Cloudflare's 1.1.1.1 as its upstream 
DNS server; dnsmasq is running on 192.168.0.1.


Here are some a couple tests demonstrating the problem:
--
$ dig disa.mil @192.168.0.1 +dnssec +short

$ dig disa.mil @8.8.8.8 +dnssec +short
156.112.108.76
A 8 2 7200 20181117145327 20181018145327 52983 disa.mil. 
dMS5WbQ5xJ0HuCBPZUkuoshf0A2n1tvxA75smhcFZNS5SHSOA0zsQaSc 
YOzNdu5gH6qFXA7TbKhPYN0RcPD+vVcmtfbzv3eJZfh4343IXlBznG6w 
aLaLt+kI6GGnPQ7skNWOcO4yLct+yaeNxTT95CZnHtwRUx3vzGHS3dJF GYc=

[candrews@craigatwork vars]$ dig disa.mil @1.1.1.1 +dnssec +short
156.112.108.76
--
So looking it up using Google's 8.8.8.8 or Cloudflare's 1.1.1.1 with 
dnssec works, but not with dnsmasq.


--
# dnsmasq --version
Dnsmasq version 2.80test3  Copyright (c) 2000-2018 Simon Kelley
Compile time options: IPv6 GNU-getopt no-DBus no-i18n no-IDN DHCP DHCPv6 
no-Lua TFTP conntrack ipset auth DNSSEC no-ID loop-detect inotify 
dumpfile


This software comes with ABSOLUTELY NO WARRANTY.
Dnsmasq is free software, and you are welcome to redistribute it
under the terms of the GNU General Public License, version 2 or 3.
--

Thanks in advance for your help and for this great software,
~Craig

___
Dnsmasq-discuss mailing list
Dnsmasq-discuss@lists.thekelleys.org.uk
http://lists.thekelleys.org.uk/mailman/listinfo/dnsmasq-discuss