Complete repro is challenging because dnsmasq doesn't apply `max-cache-
ttl` to DNSSEC validation. However, this config demonstrates the key
factors contributing to the bug:
```
# Enable the bug
use-stale-cache
dnssec
# Expire cache fast
max-cache-ttl=1
# Force DNSKEY truncation
edns-packet-max=512
# Anchor to trust (required for DNSSEC val)
trust-anchor=.,20326,8,2,E06D44B80B8F1D39A95C0B0D7C65D08458E880409BBC683457104237C7F8EC8D
# Logging
log-queries
log-facility=-
```
Using the following Dockerfile:
```
FROM ubuntu:20.04
RUN apt-get update && \
apt-get install -y dnsmasq tcpdump dnsutils && \
apt-get clean
COPY dnsmasq.conf /etc/dnsmasq.conf
CMD ["dnsmasq", "-d", "-q"]
```
We could do something like:
```
$ docker build -t dnsmasq-test . && docker run --rm -it --cap-add=NET_ADMIN
--dns 8.8.8.8 dnsmasq-test bash -c "
dnsmasq -d -q 2>&1 | tee /tmp/log &
sleep 2
echo '1. Without TCP retry (+ignore): DNSSEC validation FAILS'
dig @127.0.0.1 cloudflare.com +ignore 2>&1 | grep -E 'status:|Truncated'
grep 'validation result' /tmp/log | head -1
echo -e '\n2. With TCP retry: validation succeeds'
dig @127.0.0.1 cloudflare.com 2>&1 | grep -E 'status:|Truncated'
grep 'SECURE' /tmp/log | head -1
echo -e '\n3. From cache: returns instantly (0ms), background refresh has no
TCP retry'
sleep 3
dig @127.0.0.1 cloudflare.com 2>&1 | grep -E 'Query time|EDE'
grep -E 'cached-stale|forwarded' /tmp/log | tail -2
"
```
--
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/2138412
Title:
DNSSEC validation with stale cache enabled does not properly retry
truncated response
To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/dnsmasq/+bug/2138412/+subscriptions
--
ubuntu-bugs mailing list
[email protected]
https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
