Re: [Dnsmasq-discuss] Insecure CNAME pointing to Secure name incorrectly validates as Bogus

2019-09-11 Thread Simon Kelley
On 04/09/2019 18:40, Tore Anderson wrote: > > (By the way, I did send the promised PCAP yesterday. However, because the > message was >40KB, it was queued for moderation by the mailing list > administrator.) > So you did, it's there, as are several others, which raises the question of why

Re: [Dnsmasq-discuss] Insecure CNAME pointing to Secure name incorrectly validates as Bogus

2019-09-11 Thread Tore Anderson
* Tore Anderson > I can confirm that Dnsmasq 69a0477 resolves www.linuxquestions.org and > www.ipv6.org.uk as expected (DNSSEC state insecure). Great work, thanks! Apologies, I botched my test (using the wrong upstream server). It does *not* work, but the error is different: $ src/dnsmasq -d

Re: [Dnsmasq-discuss] Insecure CNAME pointing to Secure name incorrectly validates as Bogus

2019-09-04 Thread Tore Anderson
* Simon Kelley > OK. I think I see the problem.. > > http://thekelleys.org.uk/gitweb/?p=dnsmasq.git;a=commit;h=e24abf28a29574069717af78c1d3e0ede64388ff > > should fix. It does indeed. Good catch! (By the way, I did send the promised PCAP yesterday. However, because the message was >40KB,

Re: [Dnsmasq-discuss] Insecure CNAME pointing to Secure name incorrectly validates as Bogus

2019-09-03 Thread Simon Kelley
On 03/09/2019 18:29, Tore Anderson wrote: > * Tore Anderson > >> Apologies, I botched my test (using the wrong upstream server). It does >> *not* work, but the error is different: >> >> $ src/dnsmasq -d -p 5353 >> dnsmasq: started, version 2.80-71-g69a0477 cachesize 150 >> dnsmasq: compile time

Re: [Dnsmasq-discuss] Insecure CNAME pointing to Secure name incorrectly validates as Bogus

2019-09-03 Thread Simon Kelley
On 03/09/2019 18:29, Tore Anderson wrote: > * Tore Anderson > >> Apologies, I botched my test (using the wrong upstream server). It does >> *not* work, but the error is different: >> >> $ src/dnsmasq -d -p 5353 >> dnsmasq: started, version 2.80-71-g69a0477 cachesize 150 >> dnsmasq: compile time

Re: [Dnsmasq-discuss] Insecure CNAME pointing to Secure name incorrectly validates as Bogus

2019-09-03 Thread Tore Anderson
* Tore Anderson > Apologies, I botched my test (using the wrong upstream server). It does *not* > work, but the error is different: > > $ src/dnsmasq -d -p 5353 > dnsmasq: started, version 2.80-71-g69a0477 cachesize 150 > dnsmasq: compile time options: IPv6 GNU-getopt DBus no-UBus no-i18n IDN2

Re: [Dnsmasq-discuss] Insecure CNAME pointing to Secure name incorrectly validates as Bogus

2019-09-03 Thread Tore Anderson
Hi again, > OK. scratch that. Looks like we just captured an irrelevant key-rollover. > > The problem here is that the reply to the original query contains an > unsigned RRset of NS records in the auth section. Said NS records are in > a signed zone, which flags them as bogus. As far as I can

Re: [Dnsmasq-discuss] Insecure CNAME pointing to Secure name incorrectly validates as Bogus

2019-09-03 Thread Tore Anderson
Hi Simon, > A quick bit of differential analysis of the first query reveals that the > problem is the mythic-beasts.com DNSKEY RRset. > > 8.8.8.8, and the mythic-beasts authoritative server I tried gives the > following answer for that RRset. > > ;; ANSWER SECTION: > mythic-beasts.com.86400

Re: [Dnsmasq-discuss] Insecure CNAME pointing to Secure name incorrectly validates as Bogus

2019-09-03 Thread Simon Kelley
On 03/09/2019 15:45, Simon Kelley wrote: > On 31/08/2019 23:06, Tore Anderson wrote: >> I've noticed that Dnsmasq git master (2.80-68-gfef2f1c) will sometimes >> incorrectly return SERVFAIL and log a Bogus verdict when looking up domain >> names which are Insecure CNAMEs for a Secure names. >>

Re: [Dnsmasq-discuss] Insecure CNAME pointing to Secure name incorrectly validates as Bogus

2019-09-03 Thread Simon Kelley
On 31/08/2019 23:06, Tore Anderson wrote: > I've noticed that Dnsmasq git master (2.80-68-gfef2f1c) will sometimes > incorrectly return SERVFAIL and log a Bogus verdict when looking up domain > names which are Insecure CNAMEs for a Secure names. > > For example: > > www.ipv6.org.uk. IN CNAME