-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 What release are you using, Uwe.
I just tried the git-HEAD code, and pangaea.de is OK, both issues.pangea.de, which is a genuine record, and simon.pangea.de which is an expansion of the wildcard ;simon.pangaea.de. IN A ;; ANSWER SECTION: simon.pangaea.de. 21599 IN A 134.1.2.171 simon.pangaea.de. 21599 IN RRSIG A 7 2 28800 20160109144508 20151226151023 12714 pangaea.de. jwQUt4OJRlBEE3PUF6cEWJA6gOLWPpBWYbJHLIkR4tdGJh/kmtOk7T9Q MlSbChj51bhkV6oCQ++OhrsogYJ9qFpcVz8kVlEEfs08/Z1kNBe/dg3m HaAiyVVwONdyfe6dSfcYR3ZrH1PBWuxHDdbO8zGI8xGThSuZiIi1WEFC L64= ;; AUTHORITY SECTION: pangaea.de. 21599 IN NS ns2.domaindiscount24.net. pangaea.de. 21599 IN NS ns3.domaindiscount24.net. pangaea.de. 21599 IN NS ns1.domaindiscount24.net. pangaea.de. 21599 IN RRSIG NS 7 2 28800 20160109071640 20151226151023 12714 pangaea.de. l7sVnSXwN21lXvsANvjVxGyeh3c3rxlmg3ctfAShdvZpS/otk7L/HN8p O3sSJ83HFfl7QAmfoF/P3cy2yilmykJv3von/ojzXVeS3tpTAUzfALql maoKds12FcjyLVJDgEzi0xKG/DTmm2KG1bZHzXPzMVb4beZnzFN5twLK W+g= ram3pr4d5q9klnm2dsopmt3hjmua0mf6.pangaea.de. 3599 IN NSEC3 1 0 5 89D0BF16A5176B72 U1NCQMCLBNAMOFE2B186713NF2I82HUC CNAME RRSIG ram3pr4d5q9klnm2dsopmt3hjmua0mf6.pangaea.de. 3599 IN RRSIG NSEC3 7 3 3600 20160111155643 20151228181431 12714 pangaea.de. JuqEskBXSOC+3d+a2VPrlLlvQgMsiIa+duYpe/egYi4M9UdixtzDfYs2 qWJpDqlsO3lf5Eeeh2bbrZudnYmjQ9q4i8viPZO2j+nGdDCASFNUXzHb B7ynmS1Ba3393TAiCoYbPKbf5HURNRDjR3T6m4dUriYPGJM7mc6Q7Cu+ MRM= The 0skar.cz test domains have very long dates on the signature expiration fields, which found a bug in that code. Having fixed that, I can validate everything that Google DNS validates. Cheers, Simon. On 04/01/16 14:48, Uwe Schindler wrote: > Hi, > > I found out that resolving of DNSSEC signed wildcard domains does > not work correctly with dnsmasq. I think the problem is that it > looks for a signature of the requested domain name and not the > wildcard. > > The following fails: > > $ dig issues.pangaea.de > > ; <<>> DiG 9.9.5-9+deb8u4-Debian <<>> issues.pangaea.de ;; global > options: +cmd ;; Got answer: ;; ->>HEADER<<- opcode: QUERY, status: > SERVFAIL, id: 59252 ;; flags: qr rd ra; QUERY: 1, ANSWER: 0, > AUTHORITY: 0, ADDITIONAL: 1 > > ;; OPT PSEUDOSECTION: ; EDNS: version: 0, flags: do; udp: 4096 ;; > QUESTION SECTION: ;issues.pangaea.de. IN A > > ;; Query time: 18 msec ;; SERVER: 127.0.0.1#53(127.0.0.1) ;; WHEN: > Mon Jan 04 15:43:42 CET 2016 ;; MSG SIZE rcvd: 46 > > > The reason is: "issues.pangaea.de" is covered by a star domain > "*.pangaea.de" that is correctly signed (tested from another server > - not using dnsmasq): > > $ dig +dnssec *.pangaea.de > > ; <<>> DiG 9.8.1-P1 <<>> +dnssec '*.pangaea.de' ;; global options: > +cmd ;; Got answer: ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, > id: 8436 ;; flags: qr rd ra; QUERY: 1, ANSWER: 2, AUTHORITY: 4, > ADDITIONAL: 1 > > ;; OPT PSEUDOSECTION: ; EDNS: version: 0, flags: do; udp: 4096 ;; > QUESTION SECTION: ;*.pangaea.de. IN A > > ;; ANSWER SECTION: *.pangaea.de. 28790 IN A > 134.1.2.171 *.pangaea.de. 28790 IN RRSIG A 7 2 > 28800 20160109144508 20151226151023 12714 pangaea.de. > jwQUt4OJRlBEE3PUF6cEWJA6gOLWPpBWYbJHLIkR4tdGJh/kmtOk7T9Q > MlSbChj51bhkV6oCQ++OhrsogYJ9qFpcVz8kVlEEfs08/Z1kNBe/dg3m > HaAiyVVwONdyfe6dSfcYR3ZrH1PBWuxHDdbO8zGI8xGThSuZiIi1WEFC L64= > > ;; AUTHORITY SECTION: pangaea.de. 28790 IN NS > ns2.domaindiscount24.net. pangaea.de. 28790 IN > NS ns3.domaindiscount24.net. pangaea.de. 28790 > IN NS ns1.domaindiscount24.net. pangaea.de. > 28790 IN RRSIG NS 7 2 28800 20160109071640 20151226151023 > 12714 pangaea.de. > l7sVnSXwN21lXvsANvjVxGyeh3c3rxlmg3ctfAShdvZpS/otk7L/HN8p > O3sSJ83HFfl7QAmfoF/P3cy2yilmykJv3von/ojzXVeS3tpTAUzfALql > maoKds12FcjyLVJDgEzi0xKG/DTmm2KG1bZHzXPzMVb4beZnzFN5twLK W+g= > > ;; Query time: 0 msec ;; SERVER: 85.25.128.10#53(85.25.128.10) ;; > WHEN: Mon Jan 4 14:42:43 2016 ;; MSG SIZE rcvd: 471 > > How should this be solved? This is another one where dnssec fails, > so clearly a bug. > > There is a test page about exactly that case, which fails for me > when resolving through dnsmasq: http://0skar.cz/dns/en/ > > Uwe > > ----- Uwe Schindler H.-H.-Meier-Allee 63, D-28213 Bremen > http://www.thetaphi.de eMail: u...@thetaphi.de > > > > > _______________________________________________ Dnsmasq-discuss > mailing list Dnsmasq-discuss@lists.thekelleys.org.uk > http://lists.thekelleys.org.uk/mailman/listinfo/dnsmasq-discuss > -----BEGIN PGP SIGNATURE----- Version: GnuPG v2.0.22 (GNU/Linux) iQIcBAEBCAAGBQJWipXSAAoJEBXN2mrhkTWiKtAQAJ3P1xuzpuF6QUGbTQHErbJ/ ypClZDMNRWuVy0vCF8rQjZoR1xlJU5RMawUzeXmqHgfOg1v148vyZWwG/7ECTfH+ zHziB7Fi0D+lo6fwXmFMMz7L0fXRmyK1YIvQ98+rJoSImV0H8eXJxyJzeh5+BQZG FqzL25PntLLn3HetzwQddwdn6D3Ev4TbL5ECjSwoyFmRHz4U/T0hYq/+bAl2M3Ip 16rGMHa0xD10SSlKI/ZEVRhGXZba/di4rskIp9MEuBmNftchmFtjndSvs4hLTYnq OB3oMbCfLzNL7zN23rzXZRWkoTPKkEKffS0hvnpEZRXPvD2mZKHsxx0M7iG75ZNE cyg2vFiUVdv/vNNWEVenL6GTjLShv0zEwEJ6JhO89lF4PaCz7FEifldSw6YDVHnY jhZ+IX/bSL3P4iWA1WvykaD7Edctq2gPkwjwljeNBOGHrdHWET3tDXopKzUkEHcz rH/UKFr+p4OVaKJsKdIbJFnIgr8bK+kNbXLHHI2sr0hUAOG40j+HQ+ZPYAJW1gkW 3duZLds9fKIaQqy3Ria/4y2rtnS4BQmIoLXPD/BW4znNf5DBZAY11Cz5NIBheHAL OEptaJpaIVQgKglbzIlVKDDHHyhC0TJDxr1H409yn4CMK1HC1wASgPLCsbLNR0Xd u7aRdENLTmSfWXGDy3GS =H7RO -----END PGP SIGNATURE----- _______________________________________________ Dnsmasq-discuss mailing list Dnsmasq-discuss@lists.thekelleys.org.uk http://lists.thekelleys.org.uk/mailman/listinfo/dnsmasq-discuss