Hello,
Prior to commit «3934155 Cope with multiple interfaces with the same LL
address.» this worked fine:
$ dnsmasq -dqhRS fe80::1234@eth0
After the mentioned commit this no longer works. I can confirm (using
tcpdump) that the queries are forwarded just fine to fe80::1234 on the
eth0
* Simon Kelley
> I just pushed
>
> http://thekelleys.org.uk/gitweb/?p=dnsmasq.git;a=commit;h=fef2f1c75eba56b7355cbe729e4362474d558aa4
>
> Which makes the following changes:
>
> 1) No longer fail to validate a reply proving that a DS record doesn't
> exist if RRs in the auth section other the
Hi Simon,
> A quick bit of differential analysis of the first query reveals that the
> problem is the mythic-beasts.com DNSKEY RRset.
>
> 8.8.8.8, and the mythic-beasts authoritative server I tried gives the
> following answer for that RRset.
>
> ;; ANSWER SECTION:
> mythic-beasts.com.86400
Hi again,
> OK. scratch that. Looks like we just captured an irrelevant key-rollover.
>
> The problem here is that the reply to the original query contains an
> unsigned RRset of NS records in the auth section. Said NS records are in
> a signed zone, which flags them as bogus. As far as I can
* Tore Anderson
> Apologies, I botched my test (using the wrong upstream server). It does *not*
> work, but the error is different:
>
> $ src/dnsmasq -d -p 5353
> dnsmasq: started, version 2.80-71-g69a0477 cachesize 150
> dnsmasq: compile time options: IPv6 GNU-getopt DBus no
Hi Simon,
> Now, it's certainly possible to verify that the DS record doesn't exist
> without relying on the data in the SOA record. BUT there is a problem:
> having determined securely that the DS record doesn't exist, dnsmasq
> caches that information, and it uses data from the SOA record to
>
I've noticed that Dnsmasq git master (2.80-68-gfef2f1c) will sometimes
incorrectly return SERVFAIL and log a Bogus verdict when looking up domain
names which are Insecure CNAMEs for a Secure names.
For example:
www.ipv6.org.uk. IN CNAME proxy.mythic-beasts.com.
www.linuxquestions.org. IN CNAME
* Simon Kelley
> OK. I think I see the problem..
>
> http://thekelleys.org.uk/gitweb/?p=dnsmasq.git;a=commit;h=e24abf28a29574069717af78c1d3e0ede64388ff
>
> should fix.
It does indeed. Good catch!
(By the way, I did send the promised PCAP yesterday. However, because the
message was >40KB,
* Tore Anderson
> I can confirm that Dnsmasq 69a0477 resolves www.linuxquestions.org and
> www.ipv6.org.uk as expected (DNSSEC state insecure). Great work, thanks!
Apologies, I botched my test (using the wrong upstream server). It does *not*
work, but the error is different:
$ src/dnsm
Start out with the following /etc/dnsmasq.conf, replacing «wlp2s0» as
appropriate:
log-queries
no-hosts
no-resolv
server=1.1.1.1@wlp2s0
Start Dnsmasq and send it a TCP query:
$ src/dnsmasq -d -p 5333
dnsmasq: started, version 2.80-72-ge24abf2 cachesize 150
dnsmasq: compile time options: IPv6
* Tore Anderson
> Start out with the following /etc/dnsmasq.conf, replacing «wlp2s0» as
> appropriate:
>
> log-queries
> no-hosts
> no-resolv
> server=1.1.1.1@wlp2s0
>
> Start Dnsmasq and send it a TCP query:
>
> $ src/dnsmasq -d -p 5333
Bisected:
305ffb5
* B. Cook
> I can't find the actual documentation at the moment..
http://thekelleys.org.uk/gitweb/?p=dnsmasq.git;a=blob;f=man/dnsmasq.8;h=bc5ae6360f5459d99cafb78d34c532e5b087abf6;hb=HEAD#l474
> iirc dnsmasq port designation is # not @
While that is true, it is irrelevant, as I am not specifying
* Simon Kelley
> I got the wrong capability, it needs CAP_NET_RAW, not CAP_NET_ADMIN. Fix
> pushed to git.
Works now, thanks!
Tore
___
Dnsmasq-discuss mailing list
Dnsmasq-discuss@lists.thekelleys.org.uk
* Simon Kelley
> http://thekelleys.org.uk/gitweb/?p=dnsmasq.git;a=commit;h=90d7c6b97dbae2c913e7bb7af9c6c0f874493092
>
> should fix this, if I've understood it right.
Hi Simon,
Not quite. With this patch, Dnsmasq does refuse to start as non-root:
$ src/dnsmasq
dnsmasq: process is missing
* Geert Stappers
>> Here are the corresponding log lines from Dnsmasq:
>>
>> nov. 29 07:15:53.964856 sloth.fud.no dnsmasq[48069]: query[A]
>> l1-g9-osl2.n.bitbit.net from 127.0.0.1
>> nov. 29 07:15:53.965060 sloth.fud.no dnsmasq[48069]: forwarded
>> l1-g9-osl2.n.bitbit.net to 87.238.33.1
>>
* Geert Stappers
> Could caching be involved? That we are seeing only when it fails,
> not seeing in the libpcap file what led to the fail?
I think you are right.
It is a cache miss - the bug occurs when SSH-ing to an FQDN for the first time
after Dnsmasq has started, so the SSHFP record is
Hello,
I've noticed that Dnsmasq on my system sometimes enters a defective state where
it starts spinning on the CPU. When it has entered this state, I need to send
it SIGKILL to get rid of it - SIGTERM is ignored.
The version is current Git master (2.80-93-g6ebdc95).
I've enabled query
* Vladislav Grishenko
> Can you try to capture dns exchange to dnsmasq (on lo interface) and from it
> (on your nic interface) both at the same time?
> $ tcpdump -i lo port 53 -w /path/to/dns-lo.pcap
> $ tcpdump -i port 53 -w /path/to/dns-ext.pcap
> Highly possible that trigger query (or reply)
* Simon Kelley
> I have an alternative suggestion for the syntax of dhcp-host.
> It's less flexible, but simpler and easier to understand and to explain,
> and uses existing semantics rather than adding new keywords.
>
> The idea is just to add a prefix-length to the address. That allows you
>
19 matches
Mail list logo