Re: [Dnsmasq-discuss] dnsmasq treats Islands of Security as bogus

2017-04-09 Thread Simon Kelley
On 08/04/17 17:33, Patryk Szczygłowski wrote:
> 2017-04-04 22:24 GMT+01:00 Simon Kelley :
> 
>> Which version of dnsmasq are you using? I just tested this domain using
>> the development code, and got the correct result.
>>
> 
> 
> dnsmasq - 2.73-3
> 
> This is the version currently distributed by Turris Omnia (openwrt-based).
> 
> 


2.73 is old and gnarly in DNSSEC terms - it's been a long, hard road to
get this right in dnsmasq. I believe that the most recent public release
- 2.76 should behave correctly in this case.

I be grateful if you could test that, as a check that my tests are valid.


Cheers


Simon.







signature.asc
Description: OpenPGP digital signature
___
Dnsmasq-discuss mailing list
Dnsmasq-discuss@lists.thekelleys.org.uk
http://lists.thekelleys.org.uk/mailman/listinfo/dnsmasq-discuss


Re: [Dnsmasq-discuss] dnsmasq treats Islands of Security as bogus

2017-04-08 Thread Patryk Szczygłowski
2017-04-04 22:24 GMT+01:00 Simon Kelley :

> Which version of dnsmasq are you using? I just tested this domain using
> the development code, and got the correct result.
>


dnsmasq - 2.73-3

This is the version currently distributed by Turris Omnia (openwrt-based).


-- 
Patryk Szczygłowski
___
Dnsmasq-discuss mailing list
Dnsmasq-discuss@lists.thekelleys.org.uk
http://lists.thekelleys.org.uk/mailman/listinfo/dnsmasq-discuss


Re: [Dnsmasq-discuss] dnsmasq treats Islands of Security as bogus

2017-04-04 Thread Simon Kelley
Which version of dnsmasq are you using? I just tested this domain using
the development code, and got the correct result.

dnsmasq: query[A] patryk.one.pl from 127.0.0.1
dnsmasq: forwarded patryk.one.pl to 8.8.4.4
dnsmasq: forwarded patryk.one.pl to 8.8.8.8
dnsmasq: dnssec-query[DS] pl to 8.8.8.8
dnsmasq: dnssec-query[DNSKEY] . to 8.8.8.8
dnsmasq: reply . is DNSKEY keytag 61045, algo 8
dnsmasq: reply . is DNSKEY keytag 14796, algo 8
dnsmasq: reply . is DNSKEY keytag 19036, algo 8
dnsmasq: reply pl is DS keytag 2216, algo 8, digest 2
dnsmasq: dnssec-query[DS] one.pl to 8.8.8.8
dnsmasq: dnssec-query[DNSKEY] pl to 8.8.8.8
dnsmasq: reply pl is DNSKEY keytag 2216, algo 8
dnsmasq: reply pl is DNSKEY keytag 55609, algo 8
dnsmasq: reply pl is DNSKEY keytag 53575, algo 8
dnsmasq: reply pl is DNSKEY keytag 61674, algo 8
dnsmasq: reply one.pl is no DS
dnsmasq: validation result is INSECURE
dnsmasq: reply patryk.one.pl is 213.5.10.12


Cheers,

Simon.

On 27/03/17 16:37, Patryk Szczygłowski wrote:
> Hello,
> 
> I have domain signed with DNSSEC: patryk.one.pl 
> The issue is, the parent one.pl  is completely void of
> DNSSEC support (and it will probably never get fixed).
> 
> Therefore:
> - . is signed
> - .pl is signed, no DS for .one.pl 
> - .one.pl  is NOT signed, no DNSKEY, no DS for
> .patryk.one.pl 
> - .patryk.one.pl  is signed
> 
> My domain is registered with dlv.isc.org , but this
> not important anymore, as they announced closing down.
> 
> Have a look here:
> http://dnsviz.net/d/patryk.one.pl/dnssec/
> 
> The issue is dnsmasq is returning BOGUS instead of INSECURE. In
> consequence the domain does not resolve.
> I believe it is in contradiction with RFC:
> https://tools.ietf.org/html/rfc4035#section-5.1
> 
> It should mark BOGUS only if top-bottom validation determies DS in
> parent but missing DNSKEY in child.
> 
> Current behaviour is promoting a race condition, when the domain owner
> enabled DNSSEC, but didn't upload DS to parent and/or it didn't propagate.
> 
> The same situation was few years ago, when TLDs were gradually enabled,
> when for a while they were signed with DNSKEY without DS being set on
> parent, only to be put several months later. There are still unsigned
> TLDs and I think they will stop being resolved completely when this
> happens again.
> 
> Google Public DNS behaviour is correct.
> 
> -- 
> Patryk Szczygłowski
> 
> 
> ___
> Dnsmasq-discuss mailing list
> Dnsmasq-discuss@lists.thekelleys.org.uk
> http://lists.thekelleys.org.uk/mailman/listinfo/dnsmasq-discuss
> 



signature.asc
Description: OpenPGP digital signature
___
Dnsmasq-discuss mailing list
Dnsmasq-discuss@lists.thekelleys.org.uk
http://lists.thekelleys.org.uk/mailman/listinfo/dnsmasq-discuss


Re: [Dnsmasq-discuss] dnsmasq treats Islands of Security as bogus

2017-03-29 Thread Patryk Szczygłowski
2017-03-27 17:38 GMT+01:00 Simon Kelley :

> This is a real problem, and I plan to look at it (and all the other
> stuff I've been ignoring.) ASAP. I'm moving house just now, so very
> short of time. If I don't produce something by the end of next week,
> please prod me again.
>

Ok, I will remind myself. Thanks.

Cheers,
-- 
Patryk Szczygłowski
___
Dnsmasq-discuss mailing list
Dnsmasq-discuss@lists.thekelleys.org.uk
http://lists.thekelleys.org.uk/mailman/listinfo/dnsmasq-discuss


Re: [Dnsmasq-discuss] dnsmasq treats Islands of Security as bogus

2017-03-27 Thread Simon Kelley
This is a real problem, and I plan to look at it (and all the other
stuff I've been ignoring.) ASAP. I'm moving house just now, so very
short of time. If I don't produce something by the end of next week,
please prod me again.


Cheers,

Simon.


On 27/03/17 16:37, Patryk Szczygłowski wrote:
> Hello,
> 
> I have domain signed with DNSSEC: patryk.one.pl 
> The issue is, the parent one.pl  is completely void of
> DNSSEC support (and it will probably never get fixed).
> 
> Therefore:
> - . is signed
> - .pl is signed, no DS for .one.pl 
> - .one.pl  is NOT signed, no DNSKEY, no DS for
> .patryk.one.pl 
> - .patryk.one.pl  is signed
> 
> My domain is registered with dlv.isc.org , but this
> not important anymore, as they announced closing down.
> 
> Have a look here:
> http://dnsviz.net/d/patryk.one.pl/dnssec/
> 
> The issue is dnsmasq is returning BOGUS instead of INSECURE. In
> consequence the domain does not resolve.
> I believe it is in contradiction with RFC:
> https://tools.ietf.org/html/rfc4035#section-5.1
> 
> It should mark BOGUS only if top-bottom validation determies DS in
> parent but missing DNSKEY in child.
> 
> Current behaviour is promoting a race condition, when the domain owner
> enabled DNSSEC, but didn't upload DS to parent and/or it didn't propagate.
> 
> The same situation was few years ago, when TLDs were gradually enabled,
> when for a while they were signed with DNSKEY without DS being set on
> parent, only to be put several months later. There are still unsigned
> TLDs and I think they will stop being resolved completely when this
> happens again.
> 
> Google Public DNS behaviour is correct.
> 
> -- 
> Patryk Szczygłowski
> 
> 
> ___
> Dnsmasq-discuss mailing list
> Dnsmasq-discuss@lists.thekelleys.org.uk
> http://lists.thekelleys.org.uk/mailman/listinfo/dnsmasq-discuss
> 



signature.asc
Description: OpenPGP digital signature
___
Dnsmasq-discuss mailing list
Dnsmasq-discuss@lists.thekelleys.org.uk
http://lists.thekelleys.org.uk/mailman/listinfo/dnsmasq-discuss


[Dnsmasq-discuss] dnsmasq treats Islands of Security as bogus

2017-03-27 Thread Patryk Szczygłowski
Hello,

I have domain signed with DNSSEC: patryk.one.pl
The issue is, the parent one.pl is completely void of DNSSEC support (and
it will probably never get fixed).

Therefore:
- . is signed
- .pl is signed, no DS for .one.pl
- .one.pl is NOT signed, no DNSKEY, no DS for .patryk.one.pl
- .patryk.one.pl is signed

My domain is registered with dlv.isc.org, but this not important anymore,
as they announced closing down.

Have a look here:
http://dnsviz.net/d/patryk.one.pl/dnssec/

The issue is dnsmasq is returning BOGUS instead of INSECURE. In consequence
the domain does not resolve.
I believe it is in contradiction with RFC:
https://tools.ietf.org/html/rfc4035#section-5.1

It should mark BOGUS only if top-bottom validation determies DS in parent
but missing DNSKEY in child.

Current behaviour is promoting a race condition, when the domain owner
enabled DNSSEC, but didn't upload DS to parent and/or it didn't propagate.

The same situation was few years ago, when TLDs were gradually enabled,
when for a while they were signed with DNSKEY without DS being set on
parent, only to be put several months later. There are still unsigned TLDs
and I think they will stop being resolved completely when this happens
again.

Google Public DNS behaviour is correct.

-- 
Patryk Szczygłowski
___
Dnsmasq-discuss mailing list
Dnsmasq-discuss@lists.thekelleys.org.uk
http://lists.thekelleys.org.uk/mailman/listinfo/dnsmasq-discuss