The DNSSEC reply causing the failure is a bug in the upstream DNS server. DS data is supposed to come from the domain above the request. To use this example any query for *.admanmedia.com will get its answer from the authoritative servers for admanmedia.com EXCEPT a query for DS admanmedia.com which sbould come from the authoritative servers for com. This is necessary because it's the DS records which carry the chain of trust from the com servers to the admanmedia.com servers.
In the packet captures, when things work the reply to the DS query is the correct one from the .com auth servers, and when it fails it's what the admanmedia.com auth servers reply to that query. This looks like an intermittent bug is the recursive DNS server that dnsmasq is talking to. The problem is that the faulty reply has the answer signed by an admanmedia.com key, and to verify that needs the answer to a DS query for admanmedia.com, hence the infinite loop. The fixed code detects the inifinite loop and gives up, which is good. It should return the SERVFAIL error code, but it doesn't which is not right. I'll check with that. A SERVFAIL error code should cause the client to retry, and as this is an intermittent error upstream, it will likely succeed on the next retry. Thanks for your efforts chaing this down. Massively useful. This really vindicates the decision to add the ability to dump packet captures: it makes it easy to get comprehensive information about rare events. Cheers, Simon. On 17/01/2022 22:30, Byrne, John via Dnsmasq-discuss wrote: > After much messing about, I finally realized I'd gotten to the point > where I could write a simple script to attempt to generate the problem > and did so. I'be now reproduced the problem on x86 Linux with v2.86 tag > in the git repo, which made things much easier. > > The attached tar ball contains the script, my config file, my Makefile. > The directories success and failure contain a capture of a v2.86 failure > and success. The DNSSEC reply causing the failure is interesting. > > failure: 190.0982038.8.4.40.0.0.0DNS319Standard query response 0x2b96 DS > admanmedia.com <http://admanmedia.com> CNAME admanmedia.com.edgekey.net > <http://admanmedia.com.edgekey.net> RRSIG CNAME > e11261.dscd.akamaiedge.net <http://e11261.dscd.akamaiedge.net> SOA > n0dscd.akamaiedge.net <http://n0dscd.akamaiedge.net> OPT > > success: 197.4189398.8.4.40.0.0.0DNS888Standard query response 0xff70 DS > admanmedia.com <http://admanmedia.com> NSEC3 RRSIG SOA > a.gtld-servers.net <http://a.gtld-servers.net> RRSIG NSEC3 RRSIG OPT > > The directory new contains a capture of sequence that caused the failure > against 2.87test5-16-g27ce754 and dnsmasq abandoned the validation and > did not loop. Certainly better than what it used to do, but is it correct? > > Jan 17 13:53:17 dnsmasq[143548]: dumping UDP packet 15 mask 0x0001 > Jan 17 13:53:17 dnsmasq[143548]: query[A] cs.admanmedia.com > <http://cs.admanmedia.com> from 127.0.0.1 > Jan 17 13:53:17 dnsmasq[143548]: dumping UDP packet 16 mask 0x0004 > Jan 17 13:53:17 dnsmasq[143548]: forwarded cs.admanmedia.com > <http://cs.admanmedia.com> to 8.8.4.4 > Jan 17 13:53:17 dnsmasq[143548]: dumping UDP packet 17 mask 0x0008 > Jan 17 13:53:17 dnsmasq[143548]: dumping UDP packet 18 mask 0x0010 > Jan 17 13:53:17 dnsmasq[143548]: dnssec-query[DS] admanmedia.com > <http://admanmedia.com> to 8.8.4.4 > Jan 17 13:53:17 dnsmasq[143548]: dumping UDP packet 19 mask 0x0020 > Jan 17 13:53:17 dnsmasq[143548]: detected DNSSEC dependency loop > involving admanmedia.com <http://admanmedia.com> > Jan 17 13:53:17 dnsmasq[143548]: validation cs.admanmedia.com > <http://cs.admanmedia.com> is ABANDONED > Jan 17 13:53:17 dnsmasq[143548]: reply cs.admanmedia.com > <http://cs.admanmedia.com> is 88.214.206.247 > Jan 17 13:53:17 dnsmasq[143548]: dumping UDP packet 20 mask 0x0002 > > > > > > > > > > _______________________________________________ > Dnsmasq-discuss mailing list > Dnsmasq-discuss@lists.thekelleys.org.uk > https://lists.thekelleys.org.uk/cgi-bin/mailman/listinfo/dnsmasq-discuss > _______________________________________________ Dnsmasq-discuss mailing list Dnsmasq-discuss@lists.thekelleys.org.uk https://lists.thekelleys.org.uk/cgi-bin/mailman/listinfo/dnsmasq-discuss
