Re: [Dnsmasq-discuss] DNSSEC in dnsmasq's parent zone

Sun, 19 Jan 2025 09:13:03 -0800 

Hello Simon,

On Sun, Jan 19, 2025 at 12:07:25AM +0000, Simon Kelley wrote:
> On 1/18/25 21:56, Uwe Kleine-König wrote:
> > Anyhow, I'll investigate how to update dnsmasq on my OpenWrt machine
> > with your patch and report back.
> 
> Thanks. I did some more testing and found a couple more bugs. One is
> theoretical and one is real in the sense that I saw it happen, but it
> requires the forwarder part of dnsmasq to be configured with
> 
>  --cache-rr=ANY,
> 
> so you probably haven't hit it. Anyway, I tagged 2.91test8, so best to test
> that.

OK I did, and I see an improvement, namely:

        root@happy:~# dig +dnssec kk4.kleine-koenig.org DS

        ; <<>> DiG 9.20.4 <<>> +dnssec kk4.kleine-koenig.org DS
        ;; global options: +cmd
        ;; Got answer:
        ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 45505
        ;; flags: qr aa rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 8, ADDITIONAL: 1

        ;; OPT PSEUDOSECTION:
        ; EDNS: version: 0, flags: do; udp: 1232
        ; EDE: 29: (Result from negative cache for entire name)
        ;; QUESTION SECTION:
        ;kk4.kleine-koenig.org.         IN      DS

        ;; AUTHORITY SECTION:
        kleine-koenig.org.      2295    IN      SOA     ns2.kleine-koenig.org. 
hostmaster.kleine-koenig.org. 1736985600 86400 7200 3600000 3600
        2h1ek1sl5f0n5g07dos4u229nlrldiuh.kleine-koenig.org. 2295 IN NSEC3 1 0 0 
- 2P9C6ENEEA87649H171LI9VRHSJHD415 A NS SOA MX TXT AAAA RRSIG DNSKEY NSEC3PARAM 
CDS CDNSKEY SPF CAA
        jsj8simjbajncnrcii8eq3474hg5f6pt.kleine-koenig.org. 2295 IN NSEC3 1 0 0 
- KC9F61PEEQM0I99JMFUTDS2AG9ERP4JA CNAME RRSIG
        b862q755o9ujc0mu6llpi5hu4n0tm9em.kleine-koenig.org. 2295 IN NSEC3 1 0 0 
- BI486GC6KIU7IU4NLOCN8SL91BHSKRV5 A AAAA RRSIG
        kleine-koenig.org.      2295    IN      RRSIG   SOA 13 2 86400 
20250130000000 20250109000000 34607 kleine-koenig.org. 
o+4F0Nhr6KWw6dEVfgeGRv4B3n1yjdZKhTCPB03IIK9naZQGvdgUfLV2 
PADPEFYtDKv9ePRzyJTxobF+pCa2rA==
        2h1ek1sl5f0n5g07dos4u229nlrldiuh.kleine-koenig.org. 2295 IN RRSIG NSEC3 
13 3 3600 20250130000000 20250109000000 34607 kleine-koenig.org. 
5d5BQRag1NrEKo22RhuvvqUBIq1NJykKUIwZGrzlvmRtvEUwl0VtciHf 
6DnomyWFZqx5HIbuhTeOMu9CxdUjTg==
        jsj8simjbajncnrcii8eq3474hg5f6pt.kleine-koenig.org. 2295 IN RRSIG NSEC3 
13 3 3600 20250130000000 20250109000000 34607 kleine-koenig.org. 
NzUYWmFm4OhGVMMU6DFFnB+xxzxA8ZOQZkSPXxT6yEaiXVvP4bXziolM 
8o/2l0lcGO1j8ARAsVl4feDEfkY09A==
        b862q755o9ujc0mu6llpi5hu4n0tm9em.kleine-koenig.org. 2295 IN RRSIG NSEC3 
13 3 3600 20250130000000 20250109000000 34607 kleine-koenig.org. 
Sx2J6xvVOFULEK6uKDMvP+E3gqJ251Dv2rAkLW+w/b/Fokp7Kg8t/oit 
ZtDSi8InKqXfdiSUzLqWft9sjv2sXA==

        ;; Query time: 40 msec
        ;; SERVER: 127.0.0.1#53(127.0.0.1) (UDP)
        ;; WHEN: Sun Jan 19 16:53:06 CET 2025
        ;; MSG SIZE  rcvd: 848

(which lacked the DNSSEC stuff before).

*But* the SOA line mentioned there is the public one, which means that
that

        server=/kleine-koenig.org/192.168.128.3

was ignored here?! (It works when asking directly for the SOA:

        root@happy:~# dig kleine-koenig.org SOA

        ; <<>> DiG 9.20.4 <<>> kleine-koenig.org SOA
        ;; global options: +cmd
        ;; Got answer:
        ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 54931
        ;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 1

        ;; OPT PSEUDOSECTION:
        ; EDNS: version: 0, flags:; udp: 1232
        ;; QUESTION SECTION:
        ;kleine-koenig.org.             IN      SOA

        ;; ANSWER SECTION:
        kleine-koenig.org.      3496    IN      SOA     ns1.kleine-koenig.org. 
hostmaster.kleine-koenig.org. 1736985600 86400 7200 3600000 3600

        ;; Query time: 30 msec
        ;; SERVER: 127.0.0.1#53(127.0.0.1) (UDP)
        ;; WHEN: Sun Jan 19 17:27:26 CET 2025
        ;; MSG SIZE  rcvd: 97

(note ns1.kleine-koenig.org for internal vs. ns2.kleine-koenig.org for
external).

> The NS record is fine. It does get answered from the --auth-server param and
> a client should get the same answer from either the parent zone's auth
> server or the child zone's as long as both have been configured the same.
> It's in the unsigned child zone, so DNSSEC RRs don't apply.

However I cannot confirm that: As in the first mail reported I don't get
any answer when asking for the NS record from the forwarder:

        root@happy:~# dig kk4.kleine-koenig.org NS

        ; <<>> DiG 9.20.4 <<>> kk4.kleine-koenig.org NS
        ;; global options: +cmd
        ;; Got answer:
        ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 19436
        ;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 1

        ;; OPT PSEUDOSECTION:
        ; EDNS: version: 0, flags:; udp: 1232
        ;; QUESTION SECTION:
        ;kk4.kleine-koenig.org.         IN      NS

        ;; Query time: 0 msec
        ;; SERVER: 127.0.0.1#53(127.0.0.1) (UDP)
        ;; WHEN: Sun Jan 19 16:54:52 CET 2025
        ;; MSG SIZE  rcvd: 50

dnsmasq logs the follwing for that query:

        Sun Jan 19 17:30:09 2025 daemon.info dnsmasq[1]: 99 127.0.0.1/57004 
query[NS] kk4.kleine-koenig.org from 127.0.0.1
        Sun Jan 19 17:30:09 2025 daemon.info dnsmasq[1]: 99 127.0.0.1/57004 
config kk4.kleine-koenig.org is NODATA

Not sure this is a problem for the DNSSEC verification though.

But there is an answer from the auth side:

        root@happy:~# dig @192.168.128.4 kk4.kleine-koenig.org NS

        ; <<>> DiG 9.20.4 <<>> @192.168.128.4 kk4.kleine-koenig.org NS
        ; (1 server found)
        ;; global options: +cmd
        ;; Got answer:
        ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 19283
        ;; flags: qr aa rd; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 1
        ;; WARNING: recursion requested but not available

        ;; OPT PSEUDOSECTION:
        ; EDNS: version: 0, flags:; udp: 1232
        ;; QUESTION SECTION:
        ;kk4.kleine-koenig.org.         IN      NS

        ;; ANSWER SECTION:
        kk4.kleine-koenig.org.  600     IN      NS      happy.kleine-koenig.org.

        ;; Query time: 0 msec
        ;; SERVER: 192.168.128.4#53(192.168.128.4) (UDP)
        ;; WHEN: Sun Jan 19 16:55:01 CET 2025
        ;; MSG SIZE  rcvd: 108

> The DS record is the only thing that HAS to come from the parent, to prove
> that the child is not signed.

Ack.

Apart from the wrong server being asked I don't spot a relevant issue
when comparing the output of

        delv +rtrace +mtrace @192.168.128.3 happy.kk4.kleine-koenig.org
        delv +rtrace +mtrace @127.0.0.1 happy.kk4.kleine-koenig.org

I don't wanna spam the list with these outputs, but I can provide them
in private mail if you're interested. Having said that I think asking
the wrong server for some queries is a valid excuse for delv still
failing because the non-existance for kk4.kleine-koenig.org/DS isn't
properly signed then.

Best regards
Uwe

Attachment: signature.asc
Description: PGP signature

_______________________________________________
Dnsmasq-discuss mailing list
Dnsmasq-discuss@lists.thekelleys.org.uk
https://lists.thekelleys.org.uk/cgi-bin/mailman/listinfo/dnsmasq-discuss

Reply via email to