I'm not in a position to look at this for a few days, but in the meantime,
http://lists.thekelleys.org.uk/pipermail/dnsmasq-discuss/2019q1/012910.html discusses a situation which looks, at least superficially, similar. It might be worth turning on DNS logging and seeing if the similarity goes deeper. Cheers, Simon. Simon.On 17/07/2019 06:41, Hamish Moffatt wrote: > Hi, > > I'm trying to enable DNSSEC validation in dnsmasq 2.80, on my OpenWRT > router. For upstream, I'm using 1.1.1.1. With DNSSEC validation on, when > I visit the Cloudflare test site > https://www.cloudflare.com/ssl/encrypted-sni/ , it says it can't > determine if I have secure DNS enabled. > > > It's trying to look up > 60bb35df-3fe6-47fd-9912-9c43cbb67cdd.is-cf.cloudflareresolve.com, which > is failing. dnsmasq is logging: > > Wed Jul 17 15:24:27 2019 daemon.warn dnsmasq[5733]: Insecure DS reply > received, do upstream DNS servers support DNSSEC? > > > ; <<>> DiG 9.11.5-P4-5.1-Debian <<>> +dnssec > 60bb35df-3fe6-47fd-9912-9c43cbb67cdd.is-cf.cloudflareresolve.com > ;; global options: +cmd > ;; Got answer: > ;; ->>HEADER<<- opcode: QUERY, status: SERVFAIL, id: 27559 > ;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 1 > > > This is weird because if I query 1.1.1.1 directly with dig, it succeeds: > > ; <<>> DiG 9.11.5-P4-5.1-Debian <<>> +dnssec > 60bb35df-3fe6-47fd-9912-9c43cbb67cdd.is-cf.cloudflareresolve.com @1.1.1.1 > ;; global options: +cmd > ;; Got answer: > ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 12981 > ;; flags: qr rd ra ad; QUERY: 1, ANSWER: 4, AUTHORITY: 0, ADDITIONAL: 1 > > > Ultimately I'm trying to have dnsmasq talk to stubby to do DNS over TLS. > If I query stubby directly, it also succeeds. > > > It seems to work OK with other domains like cloudflare.com, just not the > test site. > > > Hamish > > > _______________________________________________ > Dnsmasq-discuss mailing list > [email protected] > http://lists.thekelleys.org.uk/mailman/listinfo/dnsmasq-discuss > _______________________________________________ Dnsmasq-discuss mailing list [email protected] http://lists.thekelleys.org.uk/mailman/listinfo/dnsmasq-discuss
