Re: [Dnsmasq-discuss] cannot start dnsmasq
I didn't try the locale suggestion but removing package dns-root-data save my life, many thanks Simon :-) 2018-06-29 16:53 GMT+02:00 Simon Kelley : > It's a bad interaction between two packages and it's proving difficult > to get the maintainers for jessie to sort it. The problem is that the > format of a file in dns-root-data changed. > > The simplest solution would be to remove the dns-root-data package from > your install. > > > Cheers, > > Simon. > > > On 29/06/18 14:39, Christophe Massez wrote: > > Hi all, > > > > I've updated my linux machine (debian jessie) yesterday and dnsmasq > > cannot start - no change made in config file, here the log : > > > > Jun 29 15:29:00 vterminal systemd[1]: Starting dnsmasq - A lightweight > > DHCP and caching DNS server... > > Jun 29 15:29:00 vterminal dnsmasq[29555]: dnsmasq: vérification de > > syntaxe OK. > > Jun 29 15:29:00 vterminal dnsmasq[29557]: la ligne de commande contient > > des éléments indésirables ou incompréhensibles > > Jun 29 15:29:00 vterminal dnsmasq[29557]: IMPOSSIBLE de démarrer > > Jun 29 15:29:00 vterminal systemd[1]: dnsmasq.service: control process > > exited, code=exited status=1 > > Jun 29 15:29:00 vterminal systemd[1]: Failed to start dnsmasq - A > > lightweight DHCP and caching DNS server. > > Jun 29 15:29:00 vterminal systemd[1]: Dependency failed for Host and > > Network Name Lookups. > > Jun 29 15:29:00 vterminal systemd[1]: Unit dnsmasq.service entered > > failed state. > > Jun 29 15:29:00 vterminal dnsmasq[29557]: dnsmasq: la ligne de commande > > contient des éléments indésirables ou incompréhensibles > > > > I also try on a fresh install (still debian jessie), and I've the same > > problem. > > > > In both cases : > > root@vterminal:~# dnsmasq --test > > dnsmasq: vérification de syntaxe OK. > > > > > > Any clue about this error ? Any help will be very welcome. > > Christophe > > > > > > > > ___ > > Dnsmasq-discuss mailing list > > Dnsmasq-discuss@lists.thekelleys.org.uk > > http://lists.thekelleys.org.uk/mailman/listinfo/dnsmasq-discuss > > > > ___ > Dnsmasq-discuss mailing list > Dnsmasq-discuss@lists.thekelleys.org.uk > http://lists.thekelleys.org.uk/mailman/listinfo/dnsmasq-discuss > ___ Dnsmasq-discuss mailing list Dnsmasq-discuss@lists.thekelleys.org.uk http://lists.thekelleys.org.uk/mailman/listinfo/dnsmasq-discuss
[Dnsmasq-discuss] [Doh] Implementation of DOH in dnsmasq
W dniu 20.06.2018 o 10:57, Geert Stappers pisze:
> On Wed, Jun 20, 2018 at 10:11:53AM +0200, Nicolas Cavallari wrote:
>> On 14/06/2018 22:32, Kurt H Maier wrote:
>>> On Thu, Jun 14, 2018 at 09:38:42PM +0200, Mateusz Jo??czyk wrote:
How difficult would it be to add support to DNS over HTTP/2.0 in dnsmasq,
for
example in constrained environments like home routers?
>>>
>>> This should be handled with a wrapper program. HTTP/2.0 is an enormous
>>> and ill-defined specification and it would not be appropriate to bolt it
>>> directly into dnsmasq. A dedicated HTTP/2.0 daemon can talk to dnsmasq
>>> on the backend to provide this service. Home routers are not
>>> particularly constrained in this regard, since they generally have web
>>> services running to begin with.
>>
>> It's much more than that. To be secure, TLS requires time, entropy and a CA
>> list. Many home routers fails at having all three, or require the DNS to get
>> time and CAs...
DOH server certificate could be provided together with the DOH server IP.
Thank You. So, as has been said above, implementing HTTP/2.0 may be more
difficult then implementing HTTP/1.1.
I would therefore propose to add the following text to the DOH draft (at the end
of section "HTTP/2"):
However, older versions of the HTTP standard are simpler to implement,
and have enough capabilities for limited capability servers on embedded
devices so DOH clients SHOULD be able to use DOH servers that support
only older version(s) of the HTTP standard, such as HTTP/1.0 {{RFC1945}}
and HTTP/1.1 {{RFC7230 - RFC7235}}.
>>
Please send any replies to the DoH mailing list at .
>>>
>>> Why?
I asked this just for the sake of convenience.
Greetings,
Mateusz Jończyk
signature.asc
Description: OpenPGP digital signature
___
Dnsmasq-discuss mailing list
Dnsmasq-discuss@lists.thekelleys.org.uk
http://lists.thekelleys.org.uk/mailman/listinfo/dnsmasq-discuss
Re: [Dnsmasq-discuss] cannot start dnsmasq
It's a bad interaction between two packages and it's proving difficult to get the maintainers for jessie to sort it. The problem is that the format of a file in dns-root-data changed. The simplest solution would be to remove the dns-root-data package from your install. Cheers, Simon. On 29/06/18 14:39, Christophe Massez wrote: > Hi all, > > I've updated my linux machine (debian jessie) yesterday and dnsmasq > cannot start - no change made in config file, here the log : > > Jun 29 15:29:00 vterminal systemd[1]: Starting dnsmasq - A lightweight > DHCP and caching DNS server... > Jun 29 15:29:00 vterminal dnsmasq[29555]: dnsmasq: vérification de > syntaxe OK. > Jun 29 15:29:00 vterminal dnsmasq[29557]: la ligne de commande contient > des éléments indésirables ou incompréhensibles > Jun 29 15:29:00 vterminal dnsmasq[29557]: IMPOSSIBLE de démarrer > Jun 29 15:29:00 vterminal systemd[1]: dnsmasq.service: control process > exited, code=exited status=1 > Jun 29 15:29:00 vterminal systemd[1]: Failed to start dnsmasq - A > lightweight DHCP and caching DNS server. > Jun 29 15:29:00 vterminal systemd[1]: Dependency failed for Host and > Network Name Lookups. > Jun 29 15:29:00 vterminal systemd[1]: Unit dnsmasq.service entered > failed state. > Jun 29 15:29:00 vterminal dnsmasq[29557]: dnsmasq: la ligne de commande > contient des éléments indésirables ou incompréhensibles > > I also try on a fresh install (still debian jessie), and I've the same > problem. > > In both cases : > root@vterminal:~# dnsmasq --test > dnsmasq: vérification de syntaxe OK. > > > Any clue about this error ? Any help will be very welcome. > Christophe > > > > ___ > Dnsmasq-discuss mailing list > Dnsmasq-discuss@lists.thekelleys.org.uk > http://lists.thekelleys.org.uk/mailman/listinfo/dnsmasq-discuss > ___ Dnsmasq-discuss mailing list Dnsmasq-discuss@lists.thekelleys.org.uk http://lists.thekelleys.org.uk/mailman/listinfo/dnsmasq-discuss
Re: [Dnsmasq-discuss] cannot start dnsmasq
On 6/29/2018 3:39 PM, Christophe Massez wrote: Hi all, I've updated my linux machine (debian jessie) yesterday and dnsmasq cannot start - no change made in config file, here the log : Jun 29 15:29:00 vterminal systemd[1]: Starting dnsmasq - A lightweight DHCP and caching DNS server... Jun 29 15:29:00 vterminal dnsmasq[29555]: dnsmasq: vérification de syntaxe OK. Jun 29 15:29:00 vterminal dnsmasq[29557]: la ligne de commande contient des éléments indésirables ou incompréhensibles Jun 29 15:29:00 vterminal dnsmasq[29557]: IMPOSSIBLE de démarrer Jun 29 15:29:00 vterminal systemd[1]: dnsmasq.service: control process exited, code=exited status=1 Jun 29 15:29:00 vterminal systemd[1]: Failed to start dnsmasq - A lightweight DHCP and caching DNS server. Jun 29 15:29:00 vterminal systemd[1]: Dependency failed for Host and Network Name Lookups. Jun 29 15:29:00 vterminal systemd[1]: Unit dnsmasq.service entered failed state. Jun 29 15:29:00 vterminal dnsmasq[29557]: dnsmasq: la ligne de commande contient des éléments indésirables ou incompréhensibles I also try on a fresh install (still debian jessie), and I've the same problem. In both cases : root@vterminal:~# dnsmasq --test dnsmasq: vérification de syntaxe OK. Any clue about this error ? Any help will be very welcome. The configuration of Dnsmasq is sane as shown by the '--test' option. Do you have non-ascii characters in '/etc/default/dnsmasq' or did you modify in any way '/etc/init.d/dnsmasq'? Can you change the language of your system to English and see if the error is fixed?: $ dpkg-reconfigure locales -- John Doe ___ Dnsmasq-discuss mailing list Dnsmasq-discuss@lists.thekelleys.org.uk http://lists.thekelleys.org.uk/mailman/listinfo/dnsmasq-discuss
[Dnsmasq-discuss] cannot start dnsmasq
Hi all, I've updated my linux machine (debian jessie) yesterday and dnsmasq cannot start - no change made in config file, here the log : Jun 29 15:29:00 vterminal systemd[1]: Starting dnsmasq - A lightweight DHCP and caching DNS server... Jun 29 15:29:00 vterminal dnsmasq[29555]: dnsmasq: vérification de syntaxe OK. Jun 29 15:29:00 vterminal dnsmasq[29557]: la ligne de commande contient des éléments indésirables ou incompréhensibles Jun 29 15:29:00 vterminal dnsmasq[29557]: IMPOSSIBLE de démarrer Jun 29 15:29:00 vterminal systemd[1]: dnsmasq.service: control process exited, code=exited status=1 Jun 29 15:29:00 vterminal systemd[1]: Failed to start dnsmasq - A lightweight DHCP and caching DNS server. Jun 29 15:29:00 vterminal systemd[1]: Dependency failed for Host and Network Name Lookups. Jun 29 15:29:00 vterminal systemd[1]: Unit dnsmasq.service entered failed state. Jun 29 15:29:00 vterminal dnsmasq[29557]: dnsmasq: la ligne de commande contient des éléments indésirables ou incompréhensibles I also try on a fresh install (still debian jessie), and I've the same problem. In both cases : root@vterminal:~# dnsmasq --test dnsmasq: vérification de syntaxe OK. Any clue about this error ? Any help will be very welcome. Christophe ___ Dnsmasq-discuss mailing list Dnsmasq-discuss@lists.thekelleys.org.uk http://lists.thekelleys.org.uk/mailman/listinfo/dnsmasq-discuss
Re: [Dnsmasq-discuss] DNSSEC passtrough
Dnsmasq does pass on the do-bit, and return DNSSEC RRs, irrespective of
of having DNSSEC validation compiled in or enabled.
The thing to understand here is that the cache does not store all the
DNSSEC RRs, and dnsmasq doesn't have the (very complex) logic required
to determine the set of DNSSEC RRs required in an answer. Therefore if
the client wants the DNSSEC RRs, the query can not be answered from the
cache. When DNSSEC validation is enabled, any query with the do-bit set
is never answered from the cache, unless the domain is known not to be
signed: the query is always forwarded. This ensures that the DNSEC RRs
are included.
The same thing should be true when DNSSEC validation is not enabled, but
there's a bug in the logic.
line 1666 of src/rfc1035.c looks like this
if ((crecp->flags & (F_HOSTS | F_DHCP | F_CONFIG)) || !do_bit ||
!(crecp->flags & F_DNSSECOK))
{ ...answer from cache ... }
So local stuff (hosts, DHCP, ) get answered. If the do_bit is not set
then the query is answered, and if the domain is known not to be signed,
the query is answered.
Unfortunately, if DNSSEC validation is not turned on then the
F_DNSSECOK bit is not valid, and it's always zero, so the question
always gets answered from the cache, even when the do-bit is set.
This code should look like that at line 1468, dealing with PTR queries
if ((crecp->flags & (F_HOSTS | F_DHCP | F_CONFIG)) ||
!do_bit ||
(option_bool(OPT_DNSSEC_VALID) && !(crecp->flags &
F_DNSSECOK)))
where the F_DNSSECOK bit is only used when validation is enabled.
I think fixing that should make it work the way Petr wants, and I've
pushed the fix as
http://thekelleys.org.uk/gitweb/?p=dnsmasq.git;a=commit;h=a997ca0da044719a0ce8a232d14da8b30022592b
Cheers,
Simon.
On 29/06/18 12:18, Petr Menšík wrote:
> Hi Simon and others!
>
> I am thinking about dnssec support of dnsmasq. Is it possible to enable
> dnssec support, but disable dnssec validation at the same time? Bind for
> example have options dnssec-enable and dnssec-validation. There is
> option proxy-dnssec, but I think it only copies AD flag in replies. The
> flag itself is worthless I think.
>
> I have one issue with dnsmasq in RHEL. We support special FIPS 140-2
> mode with certified crypto libraries. gnutls is certified but nettle
> alone is not. Current versions in RHEL have disabled DNSSEC support. In
> Fedora it is enabled. Using gnutls for all crypto operations would make
> it trusted also.
>
> Thing is, we would recommend using certified DNSSEC resolver behind
> dnsmasq. Problem is that without dnssec support, any server using
> dnsmasq as caching proxy is not able to validate a single thing. This is
> often case of libvirt.
>
> Libvirt uses dnsmasq for DNS and DHCP. Any virtual machine under it is
> configured dynamically. But it is impossible to use validating resolver
> in such machine, like unbound. We use it together with dnssec-trigger to
> automatically configure from DHCP. Just try dig +dnssec in any libvirt
> machine. No signatures are included. Secondary problem is that libvirt
> has currently no was to enable dnssec in its configuration. But that is
> not to solve here.
>
> Is there reason why validation and passing do bit and including
> signatures in replies is bundled together? I think dnssec support should
> be enabled by default today. But because dnssec validation can
> introduce, require cryptography support and configuration of trusted
> anchors, it is not so wise to enable it by default.
>
> Would be patch splitting support for DNSSEC queries and separate
> validation welcome? What do you think about turning dnssec queries
> support on by default, so dig +dnssec would pass signatures without
> additional configuration?
>
___
Dnsmasq-discuss mailing list
Dnsmasq-discuss@lists.thekelleys.org.uk
http://lists.thekelleys.org.uk/mailman/listinfo/dnsmasq-discuss
[Dnsmasq-discuss] DNSSEC passtrough
Hi Simon and others! I am thinking about dnssec support of dnsmasq. Is it possible to enable dnssec support, but disable dnssec validation at the same time? Bind for example have options dnssec-enable and dnssec-validation. There is option proxy-dnssec, but I think it only copies AD flag in replies. The flag itself is worthless I think. I have one issue with dnsmasq in RHEL. We support special FIPS 140-2 mode with certified crypto libraries. gnutls is certified but nettle alone is not. Current versions in RHEL have disabled DNSSEC support. In Fedora it is enabled. Using gnutls for all crypto operations would make it trusted also. Thing is, we would recommend using certified DNSSEC resolver behind dnsmasq. Problem is that without dnssec support, any server using dnsmasq as caching proxy is not able to validate a single thing. This is often case of libvirt. Libvirt uses dnsmasq for DNS and DHCP. Any virtual machine under it is configured dynamically. But it is impossible to use validating resolver in such machine, like unbound. We use it together with dnssec-trigger to automatically configure from DHCP. Just try dig +dnssec in any libvirt machine. No signatures are included. Secondary problem is that libvirt has currently no was to enable dnssec in its configuration. But that is not to solve here. Is there reason why validation and passing do bit and including signatures in replies is bundled together? I think dnssec support should be enabled by default today. But because dnssec validation can introduce, require cryptography support and configuration of trusted anchors, it is not so wise to enable it by default. Would be patch splitting support for DNSSEC queries and separate validation welcome? What do you think about turning dnssec queries support on by default, so dig +dnssec would pass signatures without additional configuration? -- Petr Menšík Software Engineer Red Hat, http://www.redhat.com/ email: pemen...@redhat.com PGP: 65C6C973 ___ Dnsmasq-discuss mailing list Dnsmasq-discuss@lists.thekelleys.org.uk http://lists.thekelleys.org.uk/mailman/listinfo/dnsmasq-discuss
