Re: [Dnsmasq-discuss] DNSSEC validation failing on Cloudflare test domain
On 18/07/2019 10:57, Hamish Moffatt wrote: > Yes it does work with 8.8.8.8. > > It works if I query 1.1.1.1 directly with dig though, or use proxy-dnssec. The problem is not the answer to the query, it's that for dnsmasq to validate the answer, it has to make a set of further queries, and Cloludflare's answer to one of those queries is strange and/or wrong, the requested data is provided, but not the digital signature which validates it. I've only seen this effect from Cloudflare, and, as I recall, only sometimes, repeating the query sometimes gets the expected answer. Cheers, Simon. > > > Thanks, > Hamish > > PS Did you mean to reply off-list? No, my mistake, I've added the list back. > > > On 18/7/19 7:03 pm, Simon Kelley wrote: >> Does is work if you use 8.8.8.8 instead if 1.1.1.1? I'm pretty sure this >> is a cloudflare bug, but I've failed to get them to take notice of it so >> far. >> >> >> Simon. >> >> >> On 18/07/2019 02:37, Hamish Moffatt wrote: >>> It looks like it's the same. I can't query the www.vp4.navy.mil site >>> listed in that other report with validation enabled either. >>> >>> >>> dnsmasq[14688]: 323 192.168.42.2/60372 query[A] www.vp4.navy.mil from >>> 192.168.42.2 >>> dnsmasq[14688]: 323 192.168.42.2/60372 forwarded www.vp4.navy.mil to >>> 1.1.1.1 >>> dnsmasq[14688]: * 192.168.42.2/60372 dnssec-query[DS] vp4.navy.mil to >>> 1.1.1.1 >>> dnsmasq[14688]: Insecure DS reply received, do upstream DNS servers >>> support DNSSEC? >>> dnsmasq[14688]: * 192.168.42.2/60372 reply vp4.navy.mil is BOGUS DS >>> dnsmasq[14688]: 323 192.168.42.2/60372 validation www.vp4.navy.mil is >>> BOGUS >>> dnsmasq[14688]: 323 192.168.42.2/60372 reply www.vp4.navy.mil is >>> >>> dnsmasq[14688]: 7 192.168.42.2/43514 query[A] >>> 60bb35df-3fe6-47fd-9912-9c43cbb67cdd.is-cf.cloudflareresolve.com from >>> 192.168.42.2 >>> dnsmasq[14688]: 7 192.168.42.2/43514 forwarded >>> 60bb35df-3fe6-47fd-9912-9c43cbb67cdd.is-cf.cloudflareresolve.com to >>> 1.1.1.1 >>> dnsmasq[14688]: * 192.168.42.2/43514 dnssec-query[DS] >>> cloudflareresolve.com to 1.1.1.1 >>> dnsmasq[14688]: * 192.168.42.2/43514 reply cloudflareresolve.com is DS >>> keytag 64088, algo 13, digest 2 >>> dnsmasq[14688]: * 192.168.42.2/43514 dnssec-query[DS] >>> is-cf.cloudflareresolve.com to 1.1.1.1 >>> dnsmasq[14688]: * 192.168.42.2/43514 dnssec-query[DS] net to 1.1.1.1 >>> dnsmasq[14688]: * 192.168.42.2/43514 reply net is DS keytag 35886, algo >>> 8, digest 2 >>> dnsmasq[14688]: * 192.168.42.2/43514 dnssec-query[DS] cloudflare.net to >>> 1.1.1.1 >>> dnsmasq[14688]: * 192.168.42.2/43514 dnssec-query[DNSKEY] net to 1.1.1.1 >>> dnsmasq[14688]: * 192.168.42.2/43514 reply net is DNSKEY keytag 35886, >>> algo 8 >>> dnsmasq[14688]: * 192.168.42.2/43514 reply net is DNSKEY keytag 2129, >>> algo 8 >>> dnsmasq[14688]: * 192.168.42.2/43514 reply net is DNSKEY keytag 59540, >>> algo 8 >>> dnsmasq[14688]: * 192.168.42.2/43514 reply cloudflare.net is DS keytag >>> 2371, algo 13, digest 2 >>> dnsmasq[14688]: * 192.168.42.2/43514 dnssec-query[DNSKEY] cloudflare.net >>> to 1.1.1.1 >>> dnsmasq[14688]: * 192.168.42.2/43514 reply cloudflare.net is DNSKEY >>> keytag 34505, algo 13 >>> dnsmasq[14688]: * 192.168.42.2/43514 reply cloudflare.net is DNSKEY >>> keytag 2371, algo 13 >>> dnsmasq[14688]: Insecure DS reply received, do upstream DNS servers >>> support DNSSEC? >>> dnsmasq[14688]: * 192.168.42.2/43514 reply is-cf.cloudflareresolve.com >>> is BOGUS DS >>> dnsmasq[14688]: 7 192.168.42.2/43514 validation >>> 60bb35df-3fe6-47fd-9912-9c43cbb67cdd.is-cf.cloudflareresolve.com is >>> BOGUS >>> dnsmasq[14688]: 7 192.168.42.2/43514 reply >>> 60bb35df-3fe6-47fd-9912-9c43cbb67cdd.is-cf.cloudflareresolve.com is >>> >>> dnsmasq[14688]: 7 192.168.42.2/43514 reply >>> is-cf.cloudflareresolve.com.cdn.cloudflare.net is 104.16.225.45 >>> dnsmasq[14688]: 7 192.168.42.2/43514 reply >>> is-cf.cloudflareresolve.com.cdn.cloudflare.net is 104.16.224.45 >>> >>> >>> Hamish >>> >>> >>> On 17/7/19 9:59 pm, Simon Kelley wrote: I'm not in a position to look at this for a few days, but in the meantime, http://lists.thekelleys.org.uk/pipermail/dnsmasq-discuss/2019q1/012910.html discusses a situation which looks, at least superficially, similar. It might be worth turning on DNS logging and seeing if the similarity goes deeper. Cheers, Simon. Simon.On 17/07/2019 06:41, Hamish Moffatt wrote: > Hi, > > I'm trying to enable DNSSEC validation in dnsmasq 2.80, on my OpenWRT > router. For upstream, I'm using 1.1.1.1. With DNSSEC validation on, > when > I visit the Cloudflare test site > https://www.cloudflare.com/ssl/encrypted-sni/ , it says it can't > determine if I have secure DNS enabled. > > > It's trying to look up > 60bb35df-3fe6-47fd-9912-9c43cbb67cdd.is-cf.cloudflareresolve.com, > which > is failing. dnsmasq is logging: > > Wed Jul
Re: [Dnsmasq-discuss] DNSSEC validation failing on Cloudflare test domain
It looks like it's the same. I can't query the www.vp4.navy.mil site listed in that other report with validation enabled either. dnsmasq[14688]: 323 192.168.42.2/60372 query[A] www.vp4.navy.mil from 192.168.42.2 dnsmasq[14688]: 323 192.168.42.2/60372 forwarded www.vp4.navy.mil to 1.1.1.1 dnsmasq[14688]: * 192.168.42.2/60372 dnssec-query[DS] vp4.navy.mil to 1.1.1.1 dnsmasq[14688]: Insecure DS reply received, do upstream DNS servers support DNSSEC? dnsmasq[14688]: * 192.168.42.2/60372 reply vp4.navy.mil is BOGUS DS dnsmasq[14688]: 323 192.168.42.2/60372 validation www.vp4.navy.mil is BOGUS dnsmasq[14688]: 323 192.168.42.2/60372 reply www.vp4.navy.mil is dnsmasq[14688]: 7 192.168.42.2/43514 query[A] 60bb35df-3fe6-47fd-9912-9c43cbb67cdd.is-cf.cloudflareresolve.com from 192.168.42.2 dnsmasq[14688]: 7 192.168.42.2/43514 forwarded 60bb35df-3fe6-47fd-9912-9c43cbb67cdd.is-cf.cloudflareresolve.com to 1.1.1.1 dnsmasq[14688]: * 192.168.42.2/43514 dnssec-query[DS] cloudflareresolve.com to 1.1.1.1 dnsmasq[14688]: * 192.168.42.2/43514 reply cloudflareresolve.com is DS keytag 64088, algo 13, digest 2 dnsmasq[14688]: * 192.168.42.2/43514 dnssec-query[DS] is-cf.cloudflareresolve.com to 1.1.1.1 dnsmasq[14688]: * 192.168.42.2/43514 dnssec-query[DS] net to 1.1.1.1 dnsmasq[14688]: * 192.168.42.2/43514 reply net is DS keytag 35886, algo 8, digest 2 dnsmasq[14688]: * 192.168.42.2/43514 dnssec-query[DS] cloudflare.net to 1.1.1.1 dnsmasq[14688]: * 192.168.42.2/43514 dnssec-query[DNSKEY] net to 1.1.1.1 dnsmasq[14688]: * 192.168.42.2/43514 reply net is DNSKEY keytag 35886, algo 8 dnsmasq[14688]: * 192.168.42.2/43514 reply net is DNSKEY keytag 2129, algo 8 dnsmasq[14688]: * 192.168.42.2/43514 reply net is DNSKEY keytag 59540, algo 8 dnsmasq[14688]: * 192.168.42.2/43514 reply cloudflare.net is DS keytag 2371, algo 13, digest 2 dnsmasq[14688]: * 192.168.42.2/43514 dnssec-query[DNSKEY] cloudflare.net to 1.1.1.1 dnsmasq[14688]: * 192.168.42.2/43514 reply cloudflare.net is DNSKEY keytag 34505, algo 13 dnsmasq[14688]: * 192.168.42.2/43514 reply cloudflare.net is DNSKEY keytag 2371, algo 13 dnsmasq[14688]: Insecure DS reply received, do upstream DNS servers support DNSSEC? dnsmasq[14688]: * 192.168.42.2/43514 reply is-cf.cloudflareresolve.com is BOGUS DS dnsmasq[14688]: 7 192.168.42.2/43514 validation 60bb35df-3fe6-47fd-9912-9c43cbb67cdd.is-cf.cloudflareresolve.com is BOGUS dnsmasq[14688]: 7 192.168.42.2/43514 reply 60bb35df-3fe6-47fd-9912-9c43cbb67cdd.is-cf.cloudflareresolve.com is dnsmasq[14688]: 7 192.168.42.2/43514 reply is-cf.cloudflareresolve.com.cdn.cloudflare.net is 104.16.225.45 dnsmasq[14688]: 7 192.168.42.2/43514 reply is-cf.cloudflareresolve.com.cdn.cloudflare.net is 104.16.224.45 Hamish On 17/7/19 9:59 pm, Simon Kelley wrote: I'm not in a position to look at this for a few days, but in the meantime, http://lists.thekelleys.org.uk/pipermail/dnsmasq-discuss/2019q1/012910.html discusses a situation which looks, at least superficially, similar. It might be worth turning on DNS logging and seeing if the similarity goes deeper. Cheers, Simon. Simon.On 17/07/2019 06:41, Hamish Moffatt wrote: Hi, I'm trying to enable DNSSEC validation in dnsmasq 2.80, on my OpenWRT router. For upstream, I'm using 1.1.1.1. With DNSSEC validation on, when I visit the Cloudflare test site https://www.cloudflare.com/ssl/encrypted-sni/ , it says it can't determine if I have secure DNS enabled. It's trying to look up 60bb35df-3fe6-47fd-9912-9c43cbb67cdd.is-cf.cloudflareresolve.com, which is failing. dnsmasq is logging: Wed Jul 17 15:24:27 2019 daemon.warn dnsmasq[5733]: Insecure DS reply received, do upstream DNS servers support DNSSEC? ; <<>> DiG 9.11.5-P4-5.1-Debian <<>> +dnssec 60bb35df-3fe6-47fd-9912-9c43cbb67cdd.is-cf.cloudflareresolve.com ;; global options: +cmd ;; Got answer: ;; ->>HEADER<<- opcode: QUERY, status: SERVFAIL, id: 27559 ;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 1 This is weird because if I query 1.1.1.1 directly with dig, it succeeds: ; <<>> DiG 9.11.5-P4-5.1-Debian <<>> +dnssec 60bb35df-3fe6-47fd-9912-9c43cbb67cdd.is-cf.cloudflareresolve.com @1.1.1.1 ;; global options: +cmd ;; Got answer: ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 12981 ;; flags: qr rd ra ad; QUERY: 1, ANSWER: 4, AUTHORITY: 0, ADDITIONAL: 1 Ultimately I'm trying to have dnsmasq talk to stubby to do DNS over TLS. If I query stubby directly, it also succeeds. It seems to work OK with other domains like cloudflare.com, just not the test site. Hamish ___ Dnsmasq-discuss mailing list Dnsmasq-discuss@lists.thekelleys.org.uk http://lists.thekelleys.org.uk/mailman/listinfo/dnsmasq-discuss ___ Dnsmasq-discuss mailing list Dnsmasq-discuss@lists.thekelleys.org.uk http://lists.thekelleys.org.uk/mailman/listinfo/dnsmasq-discuss ___
Re: [Dnsmasq-discuss] DNSSEC validation failing on Cloudflare test domain
I'm not in a position to look at this for a few days, but in the meantime, http://lists.thekelleys.org.uk/pipermail/dnsmasq-discuss/2019q1/012910.html discusses a situation which looks, at least superficially, similar. It might be worth turning on DNS logging and seeing if the similarity goes deeper. Cheers, Simon. Simon.On 17/07/2019 06:41, Hamish Moffatt wrote: > Hi, > > I'm trying to enable DNSSEC validation in dnsmasq 2.80, on my OpenWRT > router. For upstream, I'm using 1.1.1.1. With DNSSEC validation on, when > I visit the Cloudflare test site > https://www.cloudflare.com/ssl/encrypted-sni/ , it says it can't > determine if I have secure DNS enabled. > > > It's trying to look up > 60bb35df-3fe6-47fd-9912-9c43cbb67cdd.is-cf.cloudflareresolve.com, which > is failing. dnsmasq is logging: > > Wed Jul 17 15:24:27 2019 daemon.warn dnsmasq[5733]: Insecure DS reply > received, do upstream DNS servers support DNSSEC? > > > ; <<>> DiG 9.11.5-P4-5.1-Debian <<>> +dnssec > 60bb35df-3fe6-47fd-9912-9c43cbb67cdd.is-cf.cloudflareresolve.com > ;; global options: +cmd > ;; Got answer: > ;; ->>HEADER<<- opcode: QUERY, status: SERVFAIL, id: 27559 > ;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 1 > > > This is weird because if I query 1.1.1.1 directly with dig, it succeeds: > > ; <<>> DiG 9.11.5-P4-5.1-Debian <<>> +dnssec > 60bb35df-3fe6-47fd-9912-9c43cbb67cdd.is-cf.cloudflareresolve.com @1.1.1.1 > ;; global options: +cmd > ;; Got answer: > ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 12981 > ;; flags: qr rd ra ad; QUERY: 1, ANSWER: 4, AUTHORITY: 0, ADDITIONAL: 1 > > > Ultimately I'm trying to have dnsmasq talk to stubby to do DNS over TLS. > If I query stubby directly, it also succeeds. > > > It seems to work OK with other domains like cloudflare.com, just not the > test site. > > > Hamish > > > ___ > Dnsmasq-discuss mailing list > Dnsmasq-discuss@lists.thekelleys.org.uk > http://lists.thekelleys.org.uk/mailman/listinfo/dnsmasq-discuss > ___ Dnsmasq-discuss mailing list Dnsmasq-discuss@lists.thekelleys.org.uk http://lists.thekelleys.org.uk/mailman/listinfo/dnsmasq-discuss