Hello Simon, On Sun, Jan 19, 2025 at 11:50:23PM +0000, Simon Kelley wrote: > On 1/19/25 16:48, Uwe Kleine-König wrote: > > On Sun, Jan 19, 2025 at 12:07:25AM +0000, Simon Kelley wrote: > > > On 1/18/25 21:56, Uwe Kleine-König wrote: > > > > Anyhow, I'll investigate how to update dnsmasq on my OpenWrt machine > > > > with your patch and report back. > > > > > > Thanks. I did some more testing and found a couple more bugs. One is > > > theoretical and one is real in the sense that I saw it happen, but it > > > requires the forwarder part of dnsmasq to be configured with > > > > > > --cache-rr=ANY, > > > > > > so you probably haven't hit it. Anyway, I tagged 2.91test8, so best to > > > test > > > that. > > > > OK I did, and I see an improvement, namely: > > > > root@happy:~# dig +dnssec kk4.kleine-koenig.org DS > > > > ; <<>> DiG 9.20.4 <<>> +dnssec kk4.kleine-koenig.org DS > > ;; global options: +cmd > > ;; Got answer: > > ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 45505 > > ;; flags: qr aa rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 8, ADDITIONAL: 1 > > > > ;; OPT PSEUDOSECTION: > > ; EDNS: version: 0, flags: do; udp: 1232 > > ; EDE: 29: (Result from negative cache for entire name) > > ;; QUESTION SECTION: > > ;kk4.kleine-koenig.org. IN DS > > > > ;; AUTHORITY SECTION: > > kleine-koenig.org. 2295 IN SOA ns2.kleine-koenig.org. > > hostmaster.kleine-koenig.org. 1736985600 86400 7200 3600000 3600 > > 2h1ek1sl5f0n5g07dos4u229nlrldiuh.kleine-koenig.org. 2295 IN NSEC3 1 0 0 > > - 2P9C6ENEEA87649H171LI9VRHSJHD415 A NS SOA MX TXT AAAA RRSIG DNSKEY > > NSEC3PARAM CDS CDNSKEY SPF CAA > > jsj8simjbajncnrcii8eq3474hg5f6pt.kleine-koenig.org. 2295 IN NSEC3 1 0 0 > > - KC9F61PEEQM0I99JMFUTDS2AG9ERP4JA CNAME RRSIG > > b862q755o9ujc0mu6llpi5hu4n0tm9em.kleine-koenig.org. 2295 IN NSEC3 1 0 0 > > - BI486GC6KIU7IU4NLOCN8SL91BHSKRV5 A AAAA RRSIG > > kleine-koenig.org. 2295 IN RRSIG SOA 13 2 86400 > > 20250130000000 20250109000000 34607 kleine-koenig.org. > > o+4F0Nhr6KWw6dEVfgeGRv4B3n1yjdZKhTCPB03IIK9naZQGvdgUfLV2 > > PADPEFYtDKv9ePRzyJTxobF+pCa2rA== > > 2h1ek1sl5f0n5g07dos4u229nlrldiuh.kleine-koenig.org. 2295 IN RRSIG NSEC3 > > 13 3 3600 20250130000000 20250109000000 34607 kleine-koenig.org. > > 5d5BQRag1NrEKo22RhuvvqUBIq1NJykKUIwZGrzlvmRtvEUwl0VtciHf > > 6DnomyWFZqx5HIbuhTeOMu9CxdUjTg== > > jsj8simjbajncnrcii8eq3474hg5f6pt.kleine-koenig.org. 2295 IN RRSIG NSEC3 > > 13 3 3600 20250130000000 20250109000000 34607 kleine-koenig.org. > > NzUYWmFm4OhGVMMU6DFFnB+xxzxA8ZOQZkSPXxT6yEaiXVvP4bXziolM > > 8o/2l0lcGO1j8ARAsVl4feDEfkY09A== > > b862q755o9ujc0mu6llpi5hu4n0tm9em.kleine-koenig.org. 2295 IN RRSIG NSEC3 > > 13 3 3600 20250130000000 20250109000000 34607 kleine-koenig.org. > > Sx2J6xvVOFULEK6uKDMvP+E3gqJ251Dv2rAkLW+w/b/Fokp7Kg8t/oit > > ZtDSi8InKqXfdiSUzLqWft9sjv2sXA== > > > > ;; Query time: 40 msec > > ;; SERVER: 127.0.0.1#53(127.0.0.1) (UDP) > > ;; WHEN: Sun Jan 19 16:53:06 CET 2025 > > ;; MSG SIZE rcvd: 848 > > > > (which lacked the DNSSEC stuff before). > > > > *But* the SOA line mentioned there is the public one, which means that > > that > > > > server=/kleine-koenig.org/192.168.128.3 > > > > was ignored here?! (It works when asking directly for the SOA: > > It was ignored. The logic is somewhat tortuous, but it goes like this. > The server=/kleine-koenig.org/192.168.128.3 is not available for queries > which need DNSSEC validation; a DS query always needs DNSSEC validation, so > it doesn't get sent to 192.168.128.3.
Huh. Is this a bug that is hard to fix, or this is beneficial in any
situation and so works as intended?
Anyhow, for testing I added an NS record for kk4.kleine-koenig.org to the
public zone and dropped
server=/kleine-koenig.org/192.168.128.3
from the config. Then I get
root@happy:~# delv happy.kk4.kleine-koenig.org
; unsigned answer
happy.kk4.kleine-koenig.org. 0 IN A 192.168.144.1
happy.kk4.kleine-koenig.org. 0 IN A 192.168.145.1
.
> If you add a DS record for
> kleine-koenig.org to your config, it should work, assuming that
> 192.168.128.3 is DNSSEC capable.
After first trying with dns-rr= which somewhat worked (as I succeeded to
create a DS record with it), it didn't impress dnsmasq enough to make
dnssec verification happy.
Now I added
trust-anchor=kleine-koenig.org,34607,13,2,FF05DA4F2E6A2692421FA7ED99DF07205A6A04ABC917F26CD7E781520A2652D1
which matches the DS record for kleine-koenig.org in both the public DNS
and the internal view and now delv happy.kk4.kleine-koenig.org works
(same output as above, with "unsigned answer" as expected).
That's a bit inconvenient because I have to duplicate that information.
An "auto" mode that just uses kleine-koenig.org/DS would be good. And if
the config doesn't match, DNSSEC is broken anyhow, isn't it?
So IMHO such an auto-mode being the default would be sane, but that
relates to the question above about why DNSSEC isn't used for server=.
(Side note: I first tried:
trust-anchor=,kleine-koenig.org,34607,13,2,FF05DA4F2E6A2692421FA7ED99DF07205A6A04ABC917F26CD7E781520A2652D1
and
trust-anchor=IN,kleine-koenig.org,34607,13,2,FF05DA4F2E6A2692421FA7ED99DF07205A6A04ABC917F26CD7E781520A2652D1
(with a , after the = and class=IN respectively), but dnsmasq didn't
like that
dnsmasq[1]: bad trust anchor at line 43 of /etc/dnsmasq.conf
despite the manpage stating
--trust-anchor=[<class>],<domain>,<key-tag>,<algorithm>,<digest-type>,<digest>
which suggests to me that the , has to be there. (And I have no idea
what to pass for class apart from "IN".))
> Send me stuff off-list. I'd like to see dnsmasq logs too.
Is there anything left to debug now? The only unexpected thing I still
have on my radar is that there is no answer for
dig kk4.kleine-koenig.org NS
which you said would work on your end.
There isn't much involved and so I send it here:
root@happy:~# dig kk4.kleine-koenig.org NS
; <<>> DiG 9.20.4 <<>> kk4.kleine-koenig.org NS
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 15630
;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 1
;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 1232
;; QUESTION SECTION:
;kk4.kleine-koenig.org. IN NS
;; Query time: 0 msec
;; SERVER: 127.0.0.1#53(127.0.0.1) (UDP)
;; WHEN: Mon Jan 20 11:12:32 CET 2025
;; MSG SIZE rcvd: 50
which logs:
Mon Jan 20 11:12:32 2025 daemon.info dnsmasq[1]: 1 127.0.0.1/56319
query[NS] kk4.kleine-koenig.org from 127.0.0.1
Mon Jan 20 11:12:32 2025 daemon.info dnsmasq[1]: 1 127.0.0.1/56319
config kk4.kleine-koenig.org is NODATA
while asking the auth end results in:
root@happy:~# dig @192.168.128.4 kk4.kleine-koenig.org NS
; <<>> DiG 9.20.4 <<>> @192.168.128.4 kk4.kleine-koenig.org NS
; (1 server found)
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 59915
;; flags: qr aa rd; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 1
;; WARNING: recursion requested but not available
;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 1232
;; QUESTION SECTION:
;kk4.kleine-koenig.org. IN NS
;; ANSWER SECTION:
kk4.kleine-koenig.org. 600 IN NS happy.kleine-koenig.org.
;; Query time: 0 msec
;; SERVER: 192.168.128.4#53(192.168.128.4) (UDP)
;; WHEN: Mon Jan 20 11:13:31 CET 2025
;; MSG SIZE rcvd: 108
with
Mon Jan 20 11:13:31 2025 daemon.info dnsmasq[1]: 2 192.168.128.4/42861
auth[NS] kk4.kleine-koenig.org from 192.168.128.4
Mon Jan 20 11:13:31 2025 daemon.info dnsmasq[1]: 2 192.168.128.4/42861
auth kk4.kleine-koenig.org is <NS>
in the logs.
I adapted openwrt to use 2.91test8 as can be seen on
https://github.com/ukleinek/openwrt/tree/dnsmasq-2.91 (I was a bit
irritated about the indentation changes to 200-ubus_dns.patch, but I
would be surprised if that was the culprit), and then used the default
configuration for building. The used runtime configuration file
contains:
# auto-generated config file from /etc/config/dhcp
conf-file=/etc/dnsmasq.conf
dhcp-authoritative
domain-needed
log-queries=extra
localise-queries
read-ethers
enable-ubus=dnsmasq
expand-hosts
bind-dynamic
local-service
cache-size=1000
edns-packet-max=1232
domain=kk4.kleine-koenig.org
local=/kk4.kleine-koenig.org/
server=/ext.kleine-koenig.org/162.55.41.232
server=/kleine-koenig.org/192.168.128.3
addn-hosts=/tmp/hosts
dhcp-leasefile=/tmp/dhcp.leases
resolv-file=/tmp/resolv.conf.d/resolv.conf.auto
stop-dns-rebind
rebind-localhost-ok
rebind-domain-ok=kleine-koenig.org
rebind-domain-ok=r9.haus-des-engagements.de
conf-file=/usr/share/dnsmasq/trust-anchors.conf
dnssec
dhcp-broadcast=tag:needs-broadcast
conf-dir=/tmp/dnsmasq.cfg01411c.d
user=dnsmasq
group=dnsmasq
dhcp-ignore-names=tag:dhcp_bogus_hostname
conf-file=/usr/share/dnsmasq/dhcpbogushostname.conf
bogus-priv
conf-file=/usr/share/dnsmasq/rfc6761.conf
dhcp-range=set:lan,192.168.144.100,192.168.144.249,255.255.255.0,12h
dhcp-range=set:lab,192.168.145.100,192.168.145.249,255.255.255.0,12h
no-dhcp-interface=eth2
and /etc/dnsmasq.conf has:
auth-server=happy.kleine-koenig.org,kkvpn
auth-zone=kk4.kleine-koenig.org
trust-anchor=kleine-koenig.org,34607,13,2,FF05DA4F2E6A2692421FA7ED99DF07205A6A04ABC917F26CD7E781520A2652D1
.
Best regards
Uwe
signature.asc
Description: PGP signature
_______________________________________________ Dnsmasq-discuss mailing list Dnsmasq-discuss@lists.thekelleys.org.uk https://lists.thekelleys.org.uk/cgi-bin/mailman/listinfo/dnsmasq-discuss
