On 12/08/2021 13:34, Simon Kelley wrote:
On 12/08/2021 12:23, Andre Heider wrote:
Hm, works if I disable dnssec on dnsmask:
dig thekelleys.org.uk
; <<>> DiG 9.16.15-Debian <<>> thekelleys.org.uk
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 7599
;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 1
;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 1280
;; QUESTION SECTION:
;thekelleys.org.uk. IN A
;; ANSWER SECTION:
thekelleys.org.uk. 36717 IN A 85.119.82.65
;; Query time: 3 msec
;; SERVER: 192.168.0.1#53(192.168.0.1)
;; WHEN: Thu Aug 12 13:12:28 CEST 2021
;; MSG SIZE rcvd: 62
But with it enabled:
dig thekelleys.org.uk
;; Truncated, retrying in TCP mode.
; <<>> DiG 9.16.15-Debian <<>> thekelleys.org.uk
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: REFUSED, id: 34170
;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 1
;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 4096
; EDE: 14 (Not Ready)
;; QUESTION SECTION:
;thekelleys.org.uk. IN A
;; Query time: 7 msec
;; SERVER: 192.168.0.1#53(192.168.0.1)
;; WHEN: Thu Aug 12 13:13:18 CEST 2021
;; MSG SIZE rcvd: 52
It works with dnssec enabled but 'ednspacket_max 1280' removed...
This may be getting closer to the original problem. What do the query
logs look like when that fails? Also is stubby handling queries on TCP OK?
dnsmasq[20540]: query[A] thekelleys.org.uk from 192.168.0.40
dnsmasq[20540]: forwarded thekelleys.org.uk to 127.0.0.1
dnsmasq[20540]: dnssec-query[DS] uk to 127.0.0.1
dnsmasq[20540]: dnssec-query[DNSKEY] . to 127.0.0.1
dnsmasq[20540]: reply . is DNSKEY keytag 26838, algo 8
dnsmasq[20540]: reply . is DNSKEY keytag 20326, algo 8
dnsmasq[20540]: reply uk is DS keytag 43876, algo 8, digest 2
dnsmasq[20540]: dnssec-query[DS] org.uk to 127.0.0.1
dnsmasq[20540]: dnssec-query[DNSKEY] uk to 127.0.0.1
dnsmasq[20540]: reply uk is DNSKEY keytag 43056, algo 8
dnsmasq[20540]: reply uk is DNSKEY keytag 43876, algo 8
dnsmasq[20540]: reply org.uk is DS keytag 41523, algo 8, digest 2
dnsmasq[20540]: dnssec-query[DS] thekelleys.org.uk to 127.0.0.1
dnsmasq[20540]: dnssec-query[DNSKEY] org.uk to 127.0.0.1
dnsmasq[20540]: reply org.uk is DNSKEY keytag 41523, algo 8
dnsmasq[20540]: reply thekelleys.org.uk is DS keytag 60318, algo 10,
digest 2
dnsmasq[20540]: reply thekelleys.org.uk is DS keytag 7713, algo 10, digest 2
dnsmasq[20540]: dnssec-query[DNSKEY] thekelleys.org.uk to 127.0.0.1
dnsmasq[20540]: reply thekelleys.org.uk is 85.119.82.65
dig @127.0.0.1 -p 5453 +vc thekelleys.org.uk
; <<>> DiG 9.17.13 <<>> @127.0.0.1 -p 5453 +vc thekelleys.org.uk
; (1 server found)
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 9671
;; flags: qr rd ra ad; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 1
;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 512
;; QUESTION SECTION:
;thekelleys.org.uk. IN A
;; ANSWER SECTION:
thekelleys.org.uk. 34162 IN A 85.119.82.65
;; Query time: 170 msec
;; SERVER: 127.0.0.1#5453(127.0.0.1) (TCP)
;; WHEN: Thu Aug 12 13:55:03 CEST 2021
;; MSG SIZE rcvd: 62
To be honest I'm not sure why I added --edns-packet-max=1280. It may
have been just because of dnsmasq logging about reducing packet sizes to
syslog over and over again?
_______________________________________________
Dnsmasq-discuss mailing list
Dnsmasq-discuss@lists.thekelleys.org.uk
https://lists.thekelleys.org.uk/cgi-bin/mailman/listinfo/dnsmasq-discuss