Re: [Dnsmasq-discuss] DNSSEC in dnsmasq's parent zone

Sun, 19 Jan 2025 16:23:58 -0800 


On 1/19/25 16:48, Uwe Kleine-König wrote:

Hello Simon,

On Sun, Jan 19, 2025 at 12:07:25AM +0000, Simon Kelley wrote:

On 1/18/25 21:56, Uwe Kleine-König wrote:

Anyhow, I'll investigate how to update dnsmasq on my OpenWrt machine
with your patch and report back.


Thanks. I did some more testing and found a couple more bugs. One is
theoretical and one is real in the sense that I saw it happen, but it
requires the forwarder part of dnsmasq to be configured with

  --cache-rr=ANY,

so you probably haven't hit it. Anyway, I tagged 2.91test8, so best to test
that.


OK I did, and I see an improvement, namely:

        root@happy:~# dig +dnssec kk4.kleine-koenig.org DS

        ; <<>> DiG 9.20.4 <<>> +dnssec kk4.kleine-koenig.org DS
        ;; global options: +cmd
        ;; Got answer:
        ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 45505
        ;; flags: qr aa rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 8, ADDITIONAL: 1

        ;; OPT PSEUDOSECTION:
        ; EDNS: version: 0, flags: do; udp: 1232
        ; EDE: 29: (Result from negative cache for entire name)
        ;; QUESTION SECTION:
        ;kk4.kleine-koenig.org.         IN      DS

        ;; AUTHORITY SECTION:
        kleine-koenig.org.      2295    IN      SOA     ns2.kleine-koenig.org. 
hostmaster.kleine-koenig.org. 1736985600 86400 7200 3600000 3600
        2h1ek1sl5f0n5g07dos4u229nlrldiuh.kleine-koenig.org. 2295 IN NSEC3 1 0 0 
- 2P9C6ENEEA87649H171LI9VRHSJHD415 A NS SOA MX TXT AAAA RRSIG DNSKEY NSEC3PARAM 
CDS CDNSKEY SPF CAA
        jsj8simjbajncnrcii8eq3474hg5f6pt.kleine-koenig.org. 2295 IN NSEC3 1 0 0 
- KC9F61PEEQM0I99JMFUTDS2AG9ERP4JA CNAME RRSIG
        b862q755o9ujc0mu6llpi5hu4n0tm9em.kleine-koenig.org. 2295 IN NSEC3 1 0 0 
- BI486GC6KIU7IU4NLOCN8SL91BHSKRV5 A AAAA RRSIG
        kleine-koenig.org.      2295    IN      RRSIG   SOA 13 2 86400 
20250130000000 20250109000000 34607 kleine-koenig.org. 
o+4F0Nhr6KWw6dEVfgeGRv4B3n1yjdZKhTCPB03IIK9naZQGvdgUfLV2 
PADPEFYtDKv9ePRzyJTxobF+pCa2rA==
        2h1ek1sl5f0n5g07dos4u229nlrldiuh.kleine-koenig.org. 2295 IN RRSIG NSEC3 
13 3 3600 20250130000000 20250109000000 34607 kleine-koenig.org. 
5d5BQRag1NrEKo22RhuvvqUBIq1NJykKUIwZGrzlvmRtvEUwl0VtciHf 
6DnomyWFZqx5HIbuhTeOMu9CxdUjTg==
        jsj8simjbajncnrcii8eq3474hg5f6pt.kleine-koenig.org. 2295 IN RRSIG NSEC3 
13 3 3600 20250130000000 20250109000000 34607 kleine-koenig.org. 
NzUYWmFm4OhGVMMU6DFFnB+xxzxA8ZOQZkSPXxT6yEaiXVvP4bXziolM 
8o/2l0lcGO1j8ARAsVl4feDEfkY09A==
        b862q755o9ujc0mu6llpi5hu4n0tm9em.kleine-koenig.org. 2295 IN RRSIG NSEC3 
13 3 3600 20250130000000 20250109000000 34607 kleine-koenig.org. 
Sx2J6xvVOFULEK6uKDMvP+E3gqJ251Dv2rAkLW+w/b/Fokp7Kg8t/oit 
ZtDSi8InKqXfdiSUzLqWft9sjv2sXA==

        ;; Query time: 40 msec
        ;; SERVER: 127.0.0.1#53(127.0.0.1) (UDP)
        ;; WHEN: Sun Jan 19 16:53:06 CET 2025
        ;; MSG SIZE  rcvd: 848

(which lacked the DNSSEC stuff before).

*But* the SOA line mentioned there is the public one, which means that
that

        server=/kleine-koenig.org/192.168.128.3

was ignored here?! (It works when asking directly for the SOA:


It was ignored. The logic is somewhat tortuous, but it goes like this.

The server=/kleine-koenig.org/192.168.128.3 is not available for queries 
which need DNSSEC validation; a DS query always needs DNSSEC validation, 
so it doesn't get sent to 192.168.128.3. If you add a DS record for 
kleine-koenig.org to your config, it should work, assuming that 
192.168.128.3 is DNSSEC capable.


        root@happy:~# dig kleine-koenig.org SOA

        ; <<>> DiG 9.20.4 <<>> kleine-koenig.org SOA
        ;; global options: +cmd
        ;; Got answer:
        ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 54931
        ;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 1

        ;; OPT PSEUDOSECTION:
        ; EDNS: version: 0, flags:; udp: 1232
        ;; QUESTION SECTION:
        ;kleine-koenig.org.             IN      SOA

        ;; ANSWER SECTION:
        kleine-koenig.org.      3496    IN      SOA     ns1.kleine-koenig.org. 
hostmaster.kleine-koenig.org. 1736985600 86400 7200 3600000 3600

        ;; Query time: 30 msec
        ;; SERVER: 127.0.0.1#53(127.0.0.1) (UDP)
        ;; WHEN: Sun Jan 19 17:27:26 CET 2025
        ;; MSG SIZE  rcvd: 97

(note ns1.kleine-koenig.org for internal vs. ns2.kleine-koenig.org for
external).


The NS record is fine. It does get answered from the --auth-server param and
a client should get the same answer from either the parent zone's auth
server or the child zone's as long as both have been configured the same.
It's in the unsigned child zone, so DNSSEC RRs don't apply.


However I cannot confirm that: As in the first mail reported I don't get
any answer when asking for the NS record from the forwarder:

        root@happy:~# dig kk4.kleine-koenig.org NS

        ; <<>> DiG 9.20.4 <<>> kk4.kleine-koenig.org NS
        ;; global options: +cmd
        ;; Got answer:
        ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 19436
        ;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 1

        ;; OPT PSEUDOSECTION:
        ; EDNS: version: 0, flags:; udp: 1232
        ;; QUESTION SECTION:
        ;kk4.kleine-koenig.org.         IN      NS

        ;; Query time: 0 msec
        ;; SERVER: 127.0.0.1#53(127.0.0.1) (UDP)
        ;; WHEN: Sun Jan 19 16:54:52 CET 2025
        ;; MSG SIZE  rcvd: 50

dnsmasq logs the follwing for that query:

        Sun Jan 19 17:30:09 2025 daemon.info dnsmasq[1]: 99 127.0.0.1/57004 
query[NS] kk4.kleine-koenig.org from 127.0.0.1
        Sun Jan 19 17:30:09 2025 daemon.info dnsmasq[1]: 99 127.0.0.1/57004 
config kk4.kleine-koenig.org is NODATA


I can't reproduce this here it works for me.


Not sure this is a problem for the DNSSEC verification though.


It shouldn't be.


But there is an answer from the auth side:

        root@happy:~# dig @192.168.128.4 kk4.kleine-koenig.org NS

        ; <<>> DiG 9.20.4 <<>> @192.168.128.4 kk4.kleine-koenig.org NS
        ; (1 server found)
        ;; global options: +cmd
        ;; Got answer:
        ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 19283
        ;; flags: qr aa rd; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 1
        ;; WARNING: recursion requested but not available

        ;; OPT PSEUDOSECTION:
        ; EDNS: version: 0, flags:; udp: 1232
        ;; QUESTION SECTION:
        ;kk4.kleine-koenig.org.         IN      NS

        ;; ANSWER SECTION:
        kk4.kleine-koenig.org.  600     IN      NS      happy.kleine-koenig.org.

        ;; Query time: 0 msec
        ;; SERVER: 192.168.128.4#53(192.168.128.4) (UDP)
        ;; WHEN: Sun Jan 19 16:55:01 CET 2025
        ;; MSG SIZE  rcvd: 108


The DS record is the only thing that HAS to come from the parent, to prove
that the child is not signed.


Ack.

Apart from the wrong server being asked I don't spot a relevant issue
when comparing the output of

        delv +rtrace +mtrace @192.168.128.3 happy.kk4.kleine-koenig.org
        delv +rtrace +mtrace @127.0.0.1 happy.kk4.kleine-koenig.org

I don't wanna spam the list with these outputs, but I can provide them
in private mail if you're interested. Having said that I think asking
the wrong server for some queries is a valid excuse for delv still
failing because the non-existance for kk4.kleine-koenig.org/DS isn't
properly signed then.


Send me stuff off-list. I'd like to see dnsmasq logs too.


Cheers,

Simon.




Best regards
Uwe



_______________________________________________
Dnsmasq-discuss mailing list
[email protected]
https://lists.thekelleys.org.uk/cgi-bin/mailman/listinfo/dnsmasq-discuss






















					Reply via email to