Hello, back in January I hit a DNSSEC related problem that I reported on that list, and that resulted in commit 8ce27433f8b2e17c557cb55e4f16941d309deeac.
Now I slightly changed my setup to make it more robust, it works as
follows now:
I have a authoritative DNS server for kleine-koenig.org running on
[::1]:10053 and dnsmasq (running on OpenWrt) configured with
server=/kleine-koenig.org/::1#10053
domain=kk4.kleine-koenig.org
. The problem I have now is that a dnssec verifying resolver querying the
forwarding side of dnsmasq sees:
$ delv www.kleine-koenig.org
;; broken trust chain resolving 'kleine-koenig.org/DNSKEY/IN': ::1#53
;; broken trust chain resolving 'www.kleine-koenig.org/A/IN':
127.0.0.1#53
;; resolution failed: broken trust chain
I think the problem is that the DS query for kleine-koenig.org is also
forwarded to [::1]:10053. Instead it should be forwarded to the same
server that (non-DS) queries for .org are sent to.
So the logic implemented in 8ce27433f8b2e17c557cb55e4f16941d309deeac was
to short-sighted, a DS query should always go to the parent; not only for
the zones that dnsmasq is authoritative for.
(Hmm, the DS query has the RD flag set, does that mean that the server
specified in a --server option has to be a recursor?)
Best regards
Uwe
OpenPGP_signature.asc
Description: OpenPGP digital signature
_______________________________________________ Dnsmasq-discuss mailing list [email protected] https://lists.thekelleys.org.uk/cgi-bin/mailman/listinfo/dnsmasq-discuss
