[Dnsmasq-discuss] DNSSEC in dnsmasq's parent zone

Wed, 15 Jan 2025 07:29:01 -0800 

Hello,

I own a domain (kleine-koenig.org) and my OpenWrt router ("happy")
(OpenWrt 24.10.0-rc5 with dnsmasq-full 2.90-r3) in my homenet uses
(among others) the following configuration settings:

        domain=kk4.kleine-koenig.org
        local=/kk4.kleine-koenig.org/
        server=/kleine-koenig.org/192.168.128.3
        auth-server=happy.kleine-koenig.org,192.168.128.4
        auth-zone=kk4.kleine-koenig.org

On the nameserver on 192.168.128.3 I have:

        $ dig +short @192.168.128.3 kk4.kleine-koenig.org NS
        happy.kleine-koenig.org.
        $ dig +short @192.168.128.3 happy.kleine-koenig.org
        192.168.128.4

.

So dnsmasq serves a recursor on 192.168.144.1 and the auth on 192.168.128.4.

From a host in the homenet I can resolve happy.kk4.kleine-koenig.org just
fine:

        $ dig +dnssec +short @192.168.144.1 happy.kk4.kleine-koenig.org
        192.168.144.1

but when trying to verify that address using dnssec this fails:

        $ delv @192.168.144.1 happy.kk4.kleine-koenig.org
        ;; no valid RRSIG resolving 'kk4.kleine-koenig.org/DS/IN': 
192.168.144.1#53
        ;; broken trust chain resolving 'happy.kk4.kleine-koenig.org/A/IN': 
192.168.144.1#53
        ;; resolution failed: broken trust chain

When asking 192.168.128.3 it works fine:

        $ delv @192.168.128.3 happy.kk4.kleine-koenig.org
        ; unsigned answer
        happy.kk4.kleine-koenig.org. 417 IN     A       192.168.144.1

as does it when asking for an unrelated dnssec'd name:

        $ delv @192.168.144.1 www.powerdns.org
        ; fully validated
        www.powerdns.org.       3276    IN      CNAME   powerdns.org.
        www.powerdns.org.       3276    IN      RRSIG   CNAME 13 3 3600 
20250123000000 20250102000000 13432 powerdns.org. 
eVhqAkmhMBgvFYcR+g3kRU2ERtYcJBJghurQsNS4Uz7tyttghf5AU7PX 
iG4HrsAjwNoyzzOycfxzYrD9r8cHIw==
        powerdns.org.           3276    IN      A       149.210.160.248
        powerdns.org.           3276    IN      RRSIG   A 13 2 3600 
20250123000000 20250102000000 13432 powerdns.org. 
L9J8qokzJSgO1lHeHRY+lZnHNbJL4mxaHCmpSrIHrZB0rhgrC5//Wi6Z 
w9e08oMHP+lDWA+NfpZgUBh5l94gmw==

The problem (I think) is that dnsmasq doesn't answer the query for a NS
on the recursive side of dnsmasq:

        $ nslookup -type=ns kk4.kleine-koenig.org 192.168.144.1
        Server:         192.168.144.1
        Address:        192.168.144.1#53

        Non-authoritative answer:
        *** Can't find kk4.kleine-koenig.org: No answer

        Authoritative answers can be found from:

(but it does on the auth side:

        $ nslookup -type=ns kk4.kleine-koenig.org 192.168.128.4
        Server:         192.168.128.4
        Address:        192.168.128.4#53

        kk4.kleine-koenig.org   nameserver = happy.kleine-koenig.org.

).

I would have expected that the NS query on the recursive side to also
yield happy.kleine-koenig.org?! Am I missing something, or is this a bug?

Best regards
Uwe

Attachment: signature.asc
Description: PGP signature

_______________________________________________
Dnsmasq-discuss mailing list
Dnsmasq-discuss@lists.thekelleys.org.uk
https://lists.thekelleys.org.uk/cgi-bin/mailman/listinfo/dnsmasq-discuss

Reply via email to