Which version of dnsmasq are you using? I just tested this domain using the development code, and got the correct result.
dnsmasq: query[A] patryk.one.pl from 127.0.0.1 dnsmasq: forwarded patryk.one.pl to 8.8.4.4 dnsmasq: forwarded patryk.one.pl to 8.8.8.8 dnsmasq: dnssec-query[DS] pl to 8.8.8.8 dnsmasq: dnssec-query[DNSKEY] . to 8.8.8.8 dnsmasq: reply . is DNSKEY keytag 61045, algo 8 dnsmasq: reply . is DNSKEY keytag 14796, algo 8 dnsmasq: reply . is DNSKEY keytag 19036, algo 8 dnsmasq: reply pl is DS keytag 2216, algo 8, digest 2 dnsmasq: dnssec-query[DS] one.pl to 8.8.8.8 dnsmasq: dnssec-query[DNSKEY] pl to 8.8.8.8 dnsmasq: reply pl is DNSKEY keytag 2216, algo 8 dnsmasq: reply pl is DNSKEY keytag 55609, algo 8 dnsmasq: reply pl is DNSKEY keytag 53575, algo 8 dnsmasq: reply pl is DNSKEY keytag 61674, algo 8 dnsmasq: reply one.pl is no DS dnsmasq: validation result is INSECURE dnsmasq: reply patryk.one.pl is 213.5.10.12 Cheers, Simon. On 27/03/17 16:37, Patryk Szczygłowski wrote: > Hello, > > I have domain signed with DNSSEC: patryk.one.pl <http://patryk.one.pl> > The issue is, the parent one.pl <http://one.pl> is completely void of > DNSSEC support (and it will probably never get fixed). > > Therefore: > - . is signed > - .pl is signed, no DS for .one.pl <http://one.pl> > - .one.pl <http://one.pl> is NOT signed, no DNSKEY, no DS for > .patryk.one.pl <http://patryk.one.pl> > - .patryk.one.pl <http://patryk.one.pl> is signed > > My domain is registered with dlv.isc.org <http://dlv.isc.org>, but this > not important anymore, as they announced closing down. > > Have a look here: > http://dnsviz.net/d/patryk.one.pl/dnssec/ > > The issue is dnsmasq is returning BOGUS instead of INSECURE. In > consequence the domain does not resolve. > I believe it is in contradiction with RFC: > https://tools.ietf.org/html/rfc4035#section-5.1 > > It should mark BOGUS only if top-bottom validation determies DS in > parent but missing DNSKEY in child. > > Current behaviour is promoting a race condition, when the domain owner > enabled DNSSEC, but didn't upload DS to parent and/or it didn't propagate. > > The same situation was few years ago, when TLDs were gradually enabled, > when for a while they were signed with DNSKEY without DS being set on > parent, only to be put several months later. There are still unsigned > TLDs and I think they will stop being resolved completely when this > happens again. > > Google Public DNS behaviour is correct. > > -- > Patryk Szczygłowski > > > _______________________________________________ > Dnsmasq-discuss mailing list > Dnsmasq-discuss@lists.thekelleys.org.uk > http://lists.thekelleys.org.uk/mailman/listinfo/dnsmasq-discuss >
signature.asc
Description: OpenPGP digital signature
_______________________________________________ Dnsmasq-discuss mailing list Dnsmasq-discuss@lists.thekelleys.org.uk http://lists.thekelleys.org.uk/mailman/listinfo/dnsmasq-discuss