[Dnsmasq-discuss] ipv6 dhcp range mode static does not work

2018-10-23 Thread shixin.ruan 
Hi Guys,

 

I deploy a dnsmasq with
“dhcp-range=2234:aabb:ccff:ffe::2,2234:aabb:ccff:ffe:0:ff::,static,
120,24h”, I hope that dnsmasq will reply success ONLY when the [mac, ip]
match the binding in dhcp-hostfle.

But dnsmasq will reply success when it received a dhcp confirmation with
[mac, ip] not in dhcp-hostfle.

Do you have any idea how to achive this? 

Thanks in advance.

here is the the conf file:

# ps -aux | grep dns
nobody 16473 0.0 0.0 15604 980 ? S 11:33 0:00 /usr/sbin/dnsmasq
--conf-file=/var/lib/dnsmasq/dnsmasq.conf
# cat /var/lib/dnsmasq/dnsmasq.conf
domain-needed
bogus-priv
no-hosts
dhcp-option=vendor:MSFT,2,1i
dhcp-lease-max=65535
dhcp-hostsfile=/var/lib/dnsmasq/hosts.dhcp
interface=inner3
except-interface=lo
bind-interfaces
leasefile-ro
dhcp-range=2234:aabb:ccff:ffe::2,2234:aabb:ccff:ffe:0:ff::,static,88
,24h
# cat /var/lib/dnsmasq/hosts.dhcp
fa:a5:bd:b2:1f:00,set:faa5bdb21f00,[2234:aabb:ccff:ffe::43:5b58],2234-aabb-c
cff-ffe--43-5b58,infinite

 

>From the manpage of dnsmasq:

"The optional keyword may be static which tells dnsmasq to enable DHCP for
the network specified, but not to dynamically allocate IP addresses: only
hosts which have static addresses given via --dhcp-host or from /etc/ethers
will be served."
 
http://www.thekelleys.org.uk/dnsmasq/docs/dnsmasq-man.html

 

 

___
Dnsmasq-discuss mailing list
Dnsmasq-discuss@lists.thekelleys.org.uk
http://lists.thekelleys.org.uk/mailman/listinfo/dnsmasq-discuss

Re: [Dnsmasq-discuss] Cannot look up disa.mil (dnssec related)

2018-10-23 Thread Craig Andrews 

On 23.10.2018 17:57, Simon Kelley wrote:

On 22/10/2018 17:56, Craig Andrews wrote:
I'm unable to look up *.disa.mil when using dnsmasq - I'm hoping that 
we

can figure out why that is.

I have dnsmasq configured to use Cloudflare's 1.1.1.1 as its upstream
DNS server; dnsmasq is running on 192.168.0.1.

Here are some a couple tests demonstrating the problem:
--
$ dig disa.mil @192.168.0.1 +dnssec +short

$ dig disa.mil @8.8.8.8 +dnssec +short
156.112.108.76
A 8 2 7200 20181117145327 20181018145327 52983 disa.mil.
dMS5WbQ5xJ0HuCBPZUkuoshf0A2n1tvxA75smhcFZNS5SHSOA0zsQaSc
YOzNdu5gH6qFXA7TbKhPYN0RcPD+vVcmtfbzv3eJZfh4343IXlBznG6w
aLaLt+kI6GGnPQ7skNWOcO4yLct+yaeNxTT95CZnHtwRUx3vzGHS3dJF GYc=
[candrews@craigatwork vars]$ dig disa.mil @1.1.1.1 +dnssec +short
156.112.108.76
--
So looking it up using Google's 8.8.8.8 or Cloudflare's 1.1.1.1 with
dnssec works, but not with dnsmasq.



As Matthias says elsewhere in the thread, the last sentence above
appears not to be correct: it does work with 8.8.8.8, but not with 
1.1.1.1


srk@holly:~$ dig disa.mil @8.8.8.8 +dnssec +short
156.112.108.76
A 8 2 7200 20181117145327 20181018145327 52983 disa.mil.
dMS5WbQ5xJ0HuCBPZUkuoshf0A2n1tvxA75smhcFZNS5SHSOA0zsQaSc
YOzNdu5gH6qFXA7TbKhPYN0RcPD+vVcmtfbzv3eJZfh4343IXlBznG6w
aLaLt+kI6GGnPQ7skNWOcO4yLct+yaeNxTT95CZnHtwRUx3vzGHS3dJF GYc=
srk@holly:~$ dig disa.mil @1.1.1.1 +dnssec +short
156.112.108.76


The replies from 1.1.1.1 are missing the DNSSEC signatures, and this
appears to be a problem at Cloudflare, rather than a problem with
dnsmasq, or with the domain.

If I use 8.8.8.8 as upstream, dnsmasq validates fine. If I use 1.1.1.1
validation fails, because 1.1.1.1 is not returning the RRSIG RRs, even
though it's been asked to. Without those RRSIGs the reply can't be
validated.

This problem with 1.1.1.1 seems to extend to many more .mil domains.

TL;DR. Not a dnsmasq problem, not a domain problem, probably a
Cloudflare problem.

Craig, please could you report this to Cloudflare?


Cheers,

Simon.


Thanks for correcting my misunderstanding of this issue!

I've reported the issue to Cloudflare at 
https://community.cloudflare.com/t/1-1-1-1-doesnt-return-dnssec-data-for-disa-mil-googles-8-8-8-8-does/40837


Thanks,
~Craig

___
Dnsmasq-discuss mailing list
Dnsmasq-discuss@lists.thekelleys.org.uk
http://lists.thekelleys.org.uk/mailman/listinfo/dnsmasq-discuss

Re: [Dnsmasq-discuss] Cannot look up disa.mil (dnssec related)

2018-10-23 Thread Simon Kelley 
On 22/10/2018 17:56, Craig Andrews wrote:
> I'm unable to look up *.disa.mil when using dnsmasq - I'm hoping that we
> can figure out why that is.
> 
> I have dnsmasq configured to use Cloudflare's 1.1.1.1 as its upstream
> DNS server; dnsmasq is running on 192.168.0.1.
> 
> Here are some a couple tests demonstrating the problem:
> --
> $ dig disa.mil @192.168.0.1 +dnssec +short
> 
> $ dig disa.mil @8.8.8.8 +dnssec +short
> 156.112.108.76
> A 8 2 7200 20181117145327 20181018145327 52983 disa.mil.
> dMS5WbQ5xJ0HuCBPZUkuoshf0A2n1tvxA75smhcFZNS5SHSOA0zsQaSc
> YOzNdu5gH6qFXA7TbKhPYN0RcPD+vVcmtfbzv3eJZfh4343IXlBznG6w
> aLaLt+kI6GGnPQ7skNWOcO4yLct+yaeNxTT95CZnHtwRUx3vzGHS3dJF GYc=
> [candrews@craigatwork vars]$ dig disa.mil @1.1.1.1 +dnssec +short
> 156.112.108.76
> --
> So looking it up using Google's 8.8.8.8 or Cloudflare's 1.1.1.1 with
> dnssec works, but not with dnsmasq.
> 

As Matthias says elsewhere in the thread, the last sentence above
appears not to be correct: it does work with 8.8.8.8, but not with 1.1.1.1

srk@holly:~$ dig disa.mil @8.8.8.8 +dnssec +short
156.112.108.76
A 8 2 7200 20181117145327 20181018145327 52983 disa.mil.
dMS5WbQ5xJ0HuCBPZUkuoshf0A2n1tvxA75smhcFZNS5SHSOA0zsQaSc
YOzNdu5gH6qFXA7TbKhPYN0RcPD+vVcmtfbzv3eJZfh4343IXlBznG6w
aLaLt+kI6GGnPQ7skNWOcO4yLct+yaeNxTT95CZnHtwRUx3vzGHS3dJF GYc=
srk@holly:~$ dig disa.mil @1.1.1.1 +dnssec +short
156.112.108.76


The replies from 1.1.1.1 are missing the DNSSEC signatures, and this
appears to be a problem at Cloudflare, rather than a problem with
dnsmasq, or with the domain.

If I use 8.8.8.8 as upstream, dnsmasq validates fine. If I use 1.1.1.1
validation fails, because 1.1.1.1 is not returning the RRSIG RRs, even
though it's been asked to. Without those RRSIGs the reply can't be
validated.

This problem with 1.1.1.1 seems to extend to many more .mil domains.

TL;DR. Not a dnsmasq problem, not a domain problem, probably a
Cloudflare problem.

Craig, please could you report this to Cloudflare?


Cheers,

Simon.



___
Dnsmasq-discuss mailing list
Dnsmasq-discuss@lists.thekelleys.org.uk
http://lists.thekelleys.org.uk/mailman/listinfo/dnsmasq-discuss