On 01/03/2019 18:56, Dominik DL6ER wrote: > Dear list members, > > to my understanding, dnsmasq should not return any valid records for BOGUS > domains. > However, using Cloudflare (1.1.1.1 / 1.0.0.1) as upstream, I see a domains > being > validated as BOGUS in the log, however, the A query still succeeds and the > client > receives valid IP addresses. I'm using dnsmasq v2.80. > > Corresponding log excerpt: > > Mar 1 12:07:43 dnsmasq[28682]: query[A] www.vp4.navy.mil from 192.168.0.135 > Mar 1 12:07:43 dnsmasq[28682]: forwarded www.vp4.navy.mil to 1.0.0.1 > Mar 1 12:07:43 dnsmasq[28682]: dnssec-query[DS] mil to 1.0.0.1 > Mar 1 12:07:43 dnsmasq[28682]: reply mil is DS keytag 59896, algo 8, digest 2 > Mar 1 12:07:43 dnsmasq[28682]: reply mil is DS keytag 59896, algo 8, digest 1 > Mar 1 12:07:43 dnsmasq[28682]: dnssec-query[DS] navy.mil to 1.0.0.1 > Mar 1 12:07:43 dnsmasq[28682]: dnssec-query[DNSKEY] mil to 1.0.0.1 > Mar 1 12:07:43 dnsmasq[28682]: reply mil is DNSKEY keytag 59896, algo 8 > Mar 1 12:07:43 dnsmasq[28682]: reply mil is DNSKEY keytag 10428, algo 8 > Mar 1 12:07:43 dnsmasq[28682]: reply mil is DNSKEY keytag 15450, algo 8 > Mar 1 12:07:43 dnsmasq[28682]: reply navy.mil is DS keytag 33826, algo 8, > digest 2 > Mar 1 12:07:43 dnsmasq[28682]: reply navy.mil is DS keytag 33826, algo 8, > digest 1 > Mar 1 12:07:43 dnsmasq[28682]: dnssec-query[DS] vp4.navy.mil to 1.0.0.1 > Mar 1 12:07:43 dnsmasq[28682]: Insecure DS reply received, do upstream DNS > servers support DNSSEC? > Mar 1 12:07:43 dnsmasq[28682]: reply vp4.navy.mil is BOGUS DS > Mar 1 12:07:43 dnsmasq[28682]: validation www.vp4.navy.mil is BOGUS > Mar 1 12:07:43 dnsmasq[28682]: reply www.vp4.navy.mil is <CNAME> > Mar 1 12:07:43 dnsmasq[28682]: reply > open-elb-prod-277276106.us-east-1.elb.amazonaws.com is 34.196.13.230 > Mar 1 12:07:43 dnsmasq[28682]: reply > open-elb-prod-277276106.us-east-1.elb.amazonaws.com is 52.0.22.76 > > Is this intended behavior?
Is the client actually getting the IP addresses, or are you assuming that it is based on the log? I just ran the same query and got the same logs, but the reply which went back to the client has a SERVFAIL return code, and an empty answer section. What is happening here is that 1.0.0.1 is returning a valid but unsigned answer to the original query, which is being logged. (You can think of the the "reply" noun is the logs as "reply from 1.0.0.1", not "reply to 192.168.0.135".) Dnsmasq fails to prove that an unsigned reply is OK, and therefore labels it as bogus, and turns it into a SERVFAIL reply. What's worrying is that Cloudflare and Google are both quite happy that the answer is _not_ bogus, but dnsmasq thinks it is. I shall poke around some more to try and understand that. Simon. _______________________________________________ Dnsmasq-discuss mailing list Dnsmasq-discuss@lists.thekelleys.org.uk http://lists.thekelleys.org.uk/mailman/listinfo/dnsmasq-discuss