On Wed, Jun 15, 2011 at 21:16, Robert Edmonds <edmo...@debian.org> wrote:
> you're most likely running unbound in the default debian config which > enables DNSSEC validation. if you comment out the > "auto-trust-anchor-file" line in /etc/unbound/unbound.conf and restart > unbound, does it start working with your dnsmasq server? Yes. For the record, with validation enabled: No forwarding: works Forwarding to 8.8.8.8: fails Forwarding to 4.2.2.1: works Forwarding to dnsmasq which forwards to 8.8.8.8: fails Forwarding to dnsmasq which forwards to 4.2.2.1: fails So, breakage at dnsmasq and 8.8.8.8, I think, the latter officially being a known issue. > you can see in the trace that unbound is (repeatedly) attempting to find > the DS record for com, and dnsmasq is responding with NXDOMAIN: Yes. Google DNS fails differently, by the way: no record, NOERROR, authority section for google.com. > note that dnsmasq is responding with NXDOMAIN for "com". this is > hilariously wrong, as it means that dnsmasq claims that com does not > exist. but apart from that, unbound is unable to find the DS record for > com and thus DNSSEC validation fails. Yes. The problem with DS is, of course, that it is an authoritative member of the parent zone only, so you have to ask the com. nameservers for the DS record of google.com., not the google.com. nameservers. Recursors have to just know that, it isn't covered by basic forwards compatibility like any other new record type. Google's DNS apparently doesn't, and dnsmasq is even more broken. (I'm trying to point out that you may assume I have a detailed understanding of DNS and DNSsec for the purposes of this discussion, without being a dick about it. I don't think it's working.) > i suspect that if you configure your dnsmasq server to forward to a > server that supports DNSSEC (e.g., level3's 4.2.2.2) that your unbound > forwarder may work, otherwise there are more bugs in dnsmasq. See above; doesn't fix it, as far as I can tell. -- To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org