On 04/09/2019 18:40, Tore Anderson wrote:
>
> (By the way, I did send the promised PCAP yesterday. However, because the
> message was >40KB, it was queued for moderation by the mailing list
> administrator.)
>
So you did, it's there, as are several others, which raises the question
of why mail
* Tore Anderson
> I can confirm that Dnsmasq 69a0477 resolves www.linuxquestions.org and
> www.ipv6.org.uk as expected (DNSSEC state insecure). Great work, thanks!
Apologies, I botched my test (using the wrong upstream server). It does *not*
work, but the error is different:
$ src/dnsmasq -d -
* Simon Kelley
> OK. I think I see the problem..
>
> http://thekelleys.org.uk/gitweb/?p=dnsmasq.git;a=commit;h=e24abf28a29574069717af78c1d3e0ede64388ff
>
> should fix.
It does indeed. Good catch!
(By the way, I did send the promised PCAP yesterday. However, because the
message was >40KB,
On 03/09/2019 18:29, Tore Anderson wrote:
> * Tore Anderson
>
>> Apologies, I botched my test (using the wrong upstream server). It does
>> *not* work, but the error is different:
>>
>> $ src/dnsmasq -d -p 5353
>> dnsmasq: started, version 2.80-71-g69a0477 cachesize 150
>> dnsmasq: compile time o
On 03/09/2019 18:29, Tore Anderson wrote:
> * Tore Anderson
>
>> Apologies, I botched my test (using the wrong upstream server). It does
>> *not* work, but the error is different:
>>
>> $ src/dnsmasq -d -p 5353
>> dnsmasq: started, version 2.80-71-g69a0477 cachesize 150
>> dnsmasq: compile time o
* Tore Anderson
> Apologies, I botched my test (using the wrong upstream server). It does *not*
> work, but the error is different:
>
> $ src/dnsmasq -d -p 5353
> dnsmasq: started, version 2.80-71-g69a0477 cachesize 150
> dnsmasq: compile time options: IPv6 GNU-getopt DBus no-UBus no-i18n IDN2 D
Hi again,
> OK. scratch that. Looks like we just captured an irrelevant key-rollover.
>
> The problem here is that the reply to the original query contains an
> unsigned RRset of NS records in the auth section. Said NS records are in
> a signed zone, which flags them as bogus. As far as I can see
Hi Simon,
> A quick bit of differential analysis of the first query reveals that the
> problem is the mythic-beasts.com DNSKEY RRset.
>
> 8.8.8.8, and the mythic-beasts authoritative server I tried gives the
> following answer for that RRset.
>
> ;; ANSWER SECTION:
> mythic-beasts.com.86400
On 03/09/2019 15:45, Simon Kelley wrote:
> On 31/08/2019 23:06, Tore Anderson wrote:
>> I've noticed that Dnsmasq git master (2.80-68-gfef2f1c) will sometimes
>> incorrectly return SERVFAIL and log a Bogus verdict when looking up domain
>> names which are Insecure CNAMEs for a Secure names.
>>
>>
On 31/08/2019 23:06, Tore Anderson wrote:
> I've noticed that Dnsmasq git master (2.80-68-gfef2f1c) will sometimes
> incorrectly return SERVFAIL and log a Bogus verdict when looking up domain
> names which are Insecure CNAMEs for a Secure names.
>
> For example:
>
> www.ipv6.org.uk. IN CNAME pr
10 matches
Mail list logo