[Dnsmasq-discuss] Hint needed: neither patched 'dnsmasq 2.75' nor '2.76test4' will compile
Hi, sorry, this will be rather long... I'm trying to compile 'dnsmasq 2.75' (for use with 'IPFire 2.17 (i586) - core95') with all available patches but I'm always runnning into errors. Michael Tremer gave me the hint to ask here. Building always stops with the exact same errors, regardless if I use '2.75' with a total of 41 patches by now, or the original '2.75test4'-source. Log from building '2.75', with 41 patches by now: ***SNIP*** Jan 4 23:34:10: Building dnsmasq dnsmasq-2.75.tar.xz checksum OK + cd /usr/src/lfs + make -f dnsmasq LFS_BASEDIR=/usr/src install == Installing dnsmasq-2.75 ... Install started; saving file list to /usr/src/lsalr ... cd /usr/src/dnsmasq-2.75 && patch -Np1 -i /usr/src/src/patches/dnsmasq/001-include_0_0_0_0_8_in_DNS_rebind_checks.patch patching file CHANGELOG patching file src/rfc1035.c cd /usr/src/dnsmasq-2.75 && patch -Np1 -i /usr/src/src/patches/dnsmasq/002-enhance_add_subnet_to_allow_arbitary_subnet_addresses.patch patching file CHANGELOG patching file man/dnsmasq.8 patching file src/dnsmasq.h patching file src/option.c patching file src/rfc1035.c cd /usr/src/dnsmasq-2.75 && patch -Np1 -i /usr/src/src/patches/dnsmasq/003-dont_answer_non_auth_queries_for_auth_zones_locally_when_localise_queries_set.patch patching file src/forward.c cd /usr/src/dnsmasq-2.75 && patch -Np1 -i /usr/src/src/patches/dnsmasq/004-fix_behaviour_of_empty_dhcp-option.patch patching file src/rfc3315.c cd /usr/src/dnsmasq-2.75 && patch -Np1 -i /usr/src/src/patches/dnsmasq/005-suggest_solution_to_ENOMEM_error_with_IPv6_multicast.patch patching file src/network.c cd /usr/src/dnsmasq-2.75 && patch -Np1 -i /usr/src/src/patches/dnsmasq/006-clarify_man_page_on_RDNSS_set_in_router_advertisement.patch patching file man/dnsmasq.8 cd /usr/src/dnsmasq-2.75 && patch -Np1 -i /usr/src/src/patches/dnsmasq/007-handle_signed_dangling_CNAME_replies_to_DS_queries.patch patching file src/dnssec.c cd /usr/src/dnsmasq-2.75 && patch -Np1 -i /usr/src/src/patches/dnsmasq/008-DHCPv6_option_56_does_not_hold_an_address_list.patch patching file src/dhcp-common.c cd /usr/src/dnsmasq-2.75 && patch -Np1 -i /usr/src/src/patches/dnsmasq/009-Respect_the_--no_resolv_flag_in_inotify_code.patch patching file CHANGELOG patching file src/inotify.c cd /usr/src/dnsmasq-2.75 && patch -Np1 -i /usr/src/src/patches/dnsmasq/010-Rationalise_5e3e464ac4022ee0b3794513abe510817e2cf3ca.patch patching file src/rfc3315.c cd /usr/src/dnsmasq-2.75 && patch -Np1 -i /usr/src/src/patches/dnsmasq/011-Catch_errors_from_sendmsg_in_DHCP_code.patch patching file src/dhcp.c cd /usr/src/dnsmasq-2.75 && patch -Np1 -i /usr/src/src/patches/dnsmasq/012-Update_list_of_subnet_for_--bogus-priv.patch patching file src/rfc1035.c cd /usr/src/dnsmasq-2.75 && patch -Np1 -i /usr/src/src/patches/dnsmasq/013-Fix_crash_when_empty_address_from_DNS_overlays_A_record_from.patch patching file CHANGELOG patching file src/cache.c cd /usr/src/dnsmasq-2.75 && patch -Np1 -i /usr/src/src/patches/dnsmasq/014-Handle_unknown_DS_hash_algos_correctly.patch patching file src/dnssec.c cd /usr/src/dnsmasq-2.75 && patch -Np1 -i /usr/src/src/patches/dnsmasq/015-Fix_crash_at_start_up_with_conf-dir.patch patching file src/option.c cd /usr/src/dnsmasq-2.75 && patch -Np1 -i /usr/src/src/patches/dnsmasq/016-Major_rationalisation_of_DNSSEC_validation.patch patching file src/dnsmasq.h patching file src/dnssec.c patching file src/forward.c cd /usr/src/dnsmasq-2.75 && patch -Np1 -i /usr/src/src/patches/dnsmasq/017-Abandon_caching_RRSIGs_and_returning_them_from_cache.patch patching file src/cache.c patching file src/dnsmasq.h patching file src/dnssec.c patching file src/rfc1035.c cd /usr/src/dnsmasq-2.75 && patch -Np1 -i /usr/src/src/patches/dnsmasq/018-Move_code_which_caches_DS_records_to_a_more_logical_place.patch patching file src/dnssec.c cd /usr/src/dnsmasq-2.75 && patch -Np1 -i /usr/src/src/patches/dnsmasq/019-Generalise_RR-filtering_code_for_use_with_EDNS0.patch patching file Makefile patching file bld/Android.mk patching file src/dnsmasq.h patching file src/dnssec.c patching file src/forward.c patching file src/rrfilter.c cd /usr/src/dnsmasq-2.75 && patch -Np1 -i /usr/src/src/patches/dnsmasq/020-DNSSEC_validation_tweak.patch patching file src/dnssec.c cd /usr/src/dnsmasq-2.75 && patch -Np1 -i /usr/src/src/patches/dnsmasq/021-Tweaks_to_EDNS0_handling_in_DNS_replies.patch patching file src/dnssec.c patching file src/rfc1035.c cd /usr/src/dnsmasq-2.75 && patch -Np1 -i /usr/src/src/patches/dnsmasq/022-Tidy_up_DNSSEC_non-existence_code_Check_zone_status_is_NSEC_proof_bad.patch patching file src/dnssec.c cd /usr/src/dnsmasq-2.75 && patch -Np1 -i /usr/src/src/patches/dnsmasq/023-Fix_brace_botch_in_dnssec_validate_ds.patch patching file src/dnssec.c cd /usr/src/dnsmasq-2.75 && patch -Np1 -i /usr/src/src/patches/dnsmasq/024-Do_a_better_job_of_determining_which_DNSSEC_sig_algos_are_supported.patch patching file src/dnssec.c cd /usr/src/dnsmasq-2.75
Re: [Dnsmasq-discuss] Wildcard Domain resolving does not work with DNSSEC
-BEGIN PGP SIGNED MESSAGE- Hash: SHA256 On 04/01/16 17:29, Uwe Schindler wrote: > Hi, > > That is fixed already (used 2.75 from debian, no bleeding edge)! I > tried test3 (now test4 because of spinning bug) and this one worked > correctly. The test page also passed: http://0skar.cz/dns/en/ Good, good. > > Do you have an idea, which commit may have fixed it? I found one > (see other mail), but it talked about CNAME's which were not used > here. The code in that commit is now gone, the post-2.75 re-write drastically simplifies this code, and avoids all the special-case code that was there before. I'm slightly puzzled that http://0skar.cz/dns/en/ failed, since there was a campaign to fix all the bugs that showed up before, and at one time, last year, it would pass everything. Maybe the problem this time was the very-long expiration times on some of the signatures. That bug has been there forever, so the records must have changed since I last tried it. Cheers, Simon. > > Uwe > -BEGIN PGP SIGNATURE- Version: GnuPG v2.0.22 (GNU/Linux) iQIcBAEBCAAGBQJWiq6gAAoJEBXN2mrhkTWiRbYP/iDq6p+DSiT3yckBtG1BKcq+ iTVuBE7yD50kptiEi2pQ88MJYaLWyUcSfCkdCOwn+jv0DiZxICl8zPyCyBasgEIg vs3JeNP+ymUixSEQ2l6poq86cFEKqSZhHT1vIwJtqMR0Ds0gaROJaC5dDOxmvR+K FPseHNy944ljmioyMEHxKERxF3ikOaFLIGvauLbf2JYXZGKmN97nngp5WFVtv3Zg MMsDqjoM497gpoDNiPBXfUykgj3kCRtfin8/HWXC+XzRAG9lo+C5ePgFBdV056ZO Sebv2WhzEaAOb+aRYFazNh+Sf43da6SWSBLmkyovUqC79ahzSkS5q0H1NCv9TWek 8f16fRKw75eZheCA82VvHe+kSaGmNsCle/T/lWH7ahK3Lz8oI8u1sRFar2UBxsmW aZPBZbol4AeMfATXjyvudZnQPe7bH7p3EZZktYp0n4/NjtB78vad9PZqHk3QoW4b vI/dpBIbnAevlVbzbAbyS9JkUVoh1kh/bTPUwrVhdIqoy0Yl8hIGVvBpHcs0Tahj piqQqtUQj05Y/GLMOLfViZbYhy+fCOVrzfR43kwEGpAorVjDvBqeVf8ix4JrJ9rz ZBkUMN3NH5ghl3Qm4lTQZ4PywzM5A/DPhr7t9FIotAw1KH09BePREfm1DQyeNYkC k7CoGW6PAFLtx/AjbRp5 =5aga -END PGP SIGNATURE- ___ Dnsmasq-discuss mailing list Dnsmasq-discuss@lists.thekelleys.org.uk http://lists.thekelleys.org.uk/mailman/listinfo/dnsmasq-discuss
Re: [Dnsmasq-discuss] CPU spin in master
Hi, Grabbed, compiled, and installed it. I'll report back. It is now in use on my router, so I'll see if anything like this happens again. Uwe - Uwe Schindler H.-H.-Meier-Allee 63, D-28213 Bremen http://www.thetaphi.de eMail: u...@thetaphi.de > -Original Message- > From: Simon Kelley [mailto:si...@thekelleys.org.uk] > Sent: Monday, January 04, 2016 6:19 PM > To: Uwe Schindler > Cc: dnsmasq-discuss@lists.thekelleys.org.uk; 'Kevin Darbyshire-Bryant' > > Subject: Re: [Dnsmasq-discuss] CPU spin in master > > -BEGIN PGP SIGNED MESSAGE- > Hash: SHA256 > > Please use test4, which fixes the problem (again!) > > Cheers, > > Simon. > > > On 04/01/16 17:07, Uwe Schindler wrote: > > Hi, > > > > I'll try. Unfortunately I have to provoke the spinning somehow. I > > just installed the test version, was happy, and a few minutes back > > it was no longer responding. TOP showed 99% CPU. > > > > By the way, box is a VIA C7 standard x86 box (32 bits), not MIPS > > like Kevin's. > > > > Uwe > > > > - Uwe Schindler H.-H.-Meier-Allee 63, D-28213 Bremen > > http://www.thetaphi.de eMail: u...@thetaphi.de > > > > > >> -Original Message- From: Simon Kelley > >> [mailto:si...@thekelleys.org.uk] Sent: Monday, January 04, 2016 > >> 6:04 PM To: Uwe Schindler Cc: > >> dnsmasq-discuss@lists.thekelleys.org.uk Subject: Re: > >> [Dnsmasq-discuss] CPU spin in master > >> > > Yes, the fix is in test3. Can you build with debug symbols > > > > make CFLAGS=-g > > > > > > and run under gdb, to find where it's spinning? > > > > > > Cheers, > > > > Simon > > > > > > On 04/01/16 17:01, Uwe Schindler wrote: > Hi, > > ALARM: I compiled "2.76test3" and now it is spinning with > 100% CPU on my box, box responds slow or not at all on DNS > query. Was the fix included in "test3"? I updated from 2.75 > to 2.76test3 because of the previously mentioned wildcard > dnssec issue. > > Uwe > > - Uwe Schindler H.-H.-Meier-Allee 63, D-28213 Bremen > http://www.thetaphi.de eMail: u...@thetaphi.de > > > > -Original Message- From: Dnsmasq-discuss > > [mailto:dnsmasq-discuss- boun...@lists.thekelleys.org.uk] > > On Behalf Of Simon Kelley Sent: Monday, January 04, 2016 > > 5:15 PM To: dnsmasq-discuss@lists.thekelleys.org.uk > > Subject: Re: [Dnsmasq-discuss] CPU spin in master > > > Think that one's fixed then :) Many thanks. > > > Simon. > > > On 03/01/16 10:42, Kevin Darbyshire-Bryant wrote: > >>> Router survived the night. No obvious problems noted > >>> :-) > >>> > >>> -- Cheers, > >>> > >>> Kevin Sent from my phone, apologies for brevity, > >>> spelling & top posting > >>> > On 2 Jan 2016, at 17:20, Kevin Darbyshire-Bryant > wrote: > > > > > On 01/01/16 20:27, Simon Kelley wrote: > >> On 01/01/16 11:28, Kevin Darbyshire-Bryant wrote: > >> Hi Simon, > >> > >> So this is a pretty vague report of something > >> lurking in very recent code.# > > It's pretty good really. I stared at the > > ARP-caching code and found a fault in the linked > > list code that could introduce a cycle and create > > exactly the symptoms you're seeing. > > > > > > Git HEAD or 2.76test2 should do it. Please could > > you try it? > It's compiling as I type - will report back :-) > > > > > > And many thanks for testing my new code! > Well if we all played it safe and avoided the > bleeding edge stuff nothing would get spotted & fixed > would it :-) Someone has to try and I'd hardly regard > my home router as life critical (although my niece > would have a different opinion on that if she were > visiting) > > Thanks, > > Kevin > > > ___ > > Dnsmasq- > discuss > mailing list Dnsmasq-discuss@lists.thekelleys.org.uk > http://lists.thekelleys.org.uk/mailman/listinfo/dnsmasq-discuss > > > > > > > > ___ Dnsmasq- > discuss > mailing list Dnsmasq-discuss@lists.thekelleys.org.uk > http://lists.thekelleys.org.uk/mailman/listinfo/dnsmasq-discuss > > > > > > > > > ___ > > Dnsmasq-discuss mailing list > > Dnsmasq-discuss@lists.thekelleys.org.uk > > http://lists.thekelleys.org.uk/mailman/listinfo/dnsmasq-discuss > > > > > > > > > -BEGIN PGP SIGNATURE- > Version: GnuPG v2.0.22 (GNU/Linux) > > iQIcBAEBCAAGBQJWiqmcAAoJEBXN2mrhkTWimYMQAI/P0McloHDUNTkh5Nl > clb3y > nutfRAn9mIzuKZCxdEg+ZdbGyHuZZsJe/KXnXIh5Z12blcBsVQ1VJ6
Re: [Dnsmasq-discuss] Wildcard Domain resolving does not work with DNSSEC
Hi, That is fixed already (used 2.75 from debian, no bleeding edge)! I tried test3 (now test4 because of spinning bug) and this one worked correctly. The test page also passed: http://0skar.cz/dns/en/ Do you have an idea, which commit may have fixed it? I found one (see other mail), but it talked about CNAME's which were not used here. Uwe - Uwe Schindler H.-H.-Meier-Allee 63, D-28213 Bremen http://www.thetaphi.de eMail: u...@thetaphi.de > -Original Message- > From: Dnsmasq-discuss [mailto:dnsmasq-discuss- > boun...@lists.thekelleys.org.uk] On Behalf Of Simon Kelley > Sent: Monday, January 04, 2016 4:55 PM > To: dnsmasq-discuss@lists.thekelleys.org.uk > Subject: Re: [Dnsmasq-discuss] Wildcard Domain resolving does not work > with DNSSEC > > -BEGIN PGP SIGNED MESSAGE- > Hash: SHA256 > > What release are you using, Uwe. > > I just tried the git-HEAD code, and pangaea.de is OK, both > issues.pangea.de, which is a genuine record, and simon.pangea.de which > is an expansion of the wildcard > > ;simon.pangaea.de.IN A > > ;; ANSWER SECTION: > simon.pangaea.de. 21599 IN A 134.1.2.171 > simon.pangaea.de. 21599 IN RRSIG A 7 2 28800 20160109144508 > 20151226151023 12714 pangaea.de. > jwQUt4OJRlBEE3PUF6cEWJA6gOLWPpBWYbJHLIkR4tdGJh/kmtOk7T9Q > MlSbChj51bhkV6oCQ++OhrsogYJ9qFpcVz8kVlEEfs08/Z1kNBe/dg3m > HaAiyVVwONdyfe6dSfcYR3ZrH1PBWuxHDdbO8zGI8xGThSuZiIi1WEFC L64= > > ;; AUTHORITY SECTION: > pangaea.de. 21599 IN NS ns2.domaindiscount24.net. > pangaea.de. 21599 IN NS ns3.domaindiscount24.net. > pangaea.de. 21599 IN NS ns1.domaindiscount24.net. > pangaea.de. 21599 IN RRSIG NS 7 2 28800 20160109071640 > 20151226151023 > 12714 pangaea.de. > l7sVnSXwN21lXvsANvjVxGyeh3c3rxlmg3ctfAShdvZpS/otk7L/HN8p > O3sSJ83HFfl7QAmfoF/P3cy2yilmykJv3von/ojzXVeS3tpTAUzfALql > maoKds12FcjyLVJDgEzi0xKG/DTmm2KG1bZHzXPzMVb4beZnzFN5twLK W+g= > ram3pr4d5q9klnm2dsopmt3hjmua0mf6.pangaea.de. 3599 IN NSEC3 1 0 5 > 89D0BF16A5176B72 U1NCQMCLBNAMOFE2B186713NF2I82HUC CNAME > RRSIG > ram3pr4d5q9klnm2dsopmt3hjmua0mf6.pangaea.de. 3599 IN RRSIG NSEC3 7 > 3 > 3600 2016055643 20151228181431 12714 pangaea.de. > JuqEskBXSOC+3d+a2VPrlLlvQgMsiIa+duYpe/egYi4M9UdixtzDfYs2 > qWJpDqlsO3lf5Eeeh2bbrZudnYmjQ9q4i8viPZO2j+nGdDCASFNUXzHb > B7ynmS1Ba3393TAiCoYbPKbf5HURNRDjR3T6m4dUriYPGJM7mc6Q7Cu+ > MRM= > > > The 0skar.cz test domains have very long dates on the signature > expiration fields, which found a bug in that code. Having fixed that, > I can validate everything that Google DNS validates. > > Cheers, > > Simon. > > > > On 04/01/16 14:48, Uwe Schindler wrote: > > Hi, > > > > I found out that resolving of DNSSEC signed wildcard domains does > > not work correctly with dnsmasq. I think the problem is that it > > looks for a signature of the requested domain name and not the > > wildcard. > > > > The following fails: > > > > $ dig issues.pangaea.de > > > > ; <<>> DiG 9.9.5-9+deb8u4-Debian <<>> issues.pangaea.de ;; global > > options: +cmd ;; Got answer: ;; ->>HEADER<<- opcode: QUERY, status: > > SERVFAIL, id: 59252 ;; flags: qr rd ra; QUERY: 1, ANSWER: 0, > > AUTHORITY: 0, ADDITIONAL: 1 > > > > ;; OPT PSEUDOSECTION: ; EDNS: version: 0, flags: do; udp: 4096 ;; > > QUESTION SECTION: ;issues.pangaea.de. IN A > > > > ;; Query time: 18 msec ;; SERVER: 127.0.0.1#53(127.0.0.1) ;; WHEN: > > Mon Jan 04 15:43:42 CET 2016 ;; MSG SIZE rcvd: 46 > > > > > > The reason is: "issues.pangaea.de" is covered by a star domain > > "*.pangaea.de" that is correctly signed (tested from another server > > - not using dnsmasq): > > > > $ dig +dnssec *.pangaea.de > > > > ; <<>> DiG 9.8.1-P1 <<>> +dnssec '*.pangaea.de' ;; global options: > > +cmd ;; Got answer: ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, > > id: 8436 ;; flags: qr rd ra; QUERY: 1, ANSWER: 2, AUTHORITY: 4, > > ADDITIONAL: 1 > > > > ;; OPT PSEUDOSECTION: ; EDNS: version: 0, flags: do; udp: 4096 ;; > > QUESTION SECTION: ;*.pangaea.de. IN A > > > > ;; ANSWER SECTION: *.pangaea.de. 28790 IN A > > 134.1.2.171 *.pangaea.de. 28790 IN RRSIG A 7 2 > > 28800 20160109144508 20151226151023 12714 pangaea.de. > > jwQUt4OJRlBEE3PUF6cEWJA6gOLWPpBWYbJHLIkR4tdGJh/kmtOk7T9Q > > MlSbChj51bhkV6oCQ++OhrsogYJ9qFpcVz8kVlEEfs08/Z1kNBe/dg3m > > HaAiyVVwONdyfe6dSfcYR3ZrH1PBWuxHDdbO8zGI8xGThSuZiIi1WEFC L64= > > > > ;; AUTHORITY SECTION: pangaea.de. 28790 IN NS > > ns2.domaindiscount24.net. pangaea.de. 28790 IN > > NS ns3.domaindiscount24.net. pangaea.de. 28790 > > IN NS ns1.domaindiscount24.net. pangaea.de. > > 28790 IN RRSIG NS 7 2 28800 20160109071640 20151226151023 > > 12714 pangaea.de. > > l7sVnSXwN21lXvsANvjVxGyeh3c3rxlmg3ctfAShdvZpS/otk7L/HN8p > > O3sSJ83HFfl7QAmfoF/P3cy2yilmykJv3von/ojzXVeS3tpTAUzfALql > > maoKds12FcjyLVJDgEzi0xKG/DTmm2KG1
Re: [Dnsmasq-discuss] Wildcard Domain resolving does not work with DNSSEC
Hi, > I just tried the git-HEAD code, and pangaea.de is OK, both > issues.pangea.de, which is a genuine record, and simon.pangea.de which > is an expansion of the wildcard I changed issues.pangaea.de to a genuine record already (this is how I identified the issue). The test with simon.pangaea.de now also passes (test4), but this one is broken with 2.75. Sorry for changing the DNS record after I submitted to this mailing list. > ;simon.pangaea.de.IN A > > ;; ANSWER SECTION: > simon.pangaea.de. 21599 IN A 134.1.2.171 > simon.pangaea.de. 21599 IN RRSIG A 7 2 28800 20160109144508 > 20151226151023 12714 pangaea.de. > jwQUt4OJRlBEE3PUF6cEWJA6gOLWPpBWYbJHLIkR4tdGJh/kmtOk7T9Q > MlSbChj51bhkV6oCQ++OhrsogYJ9qFpcVz8kVlEEfs08/Z1kNBe/dg3m > HaAiyVVwONdyfe6dSfcYR3ZrH1PBWuxHDdbO8zGI8xGThSuZiIi1WEFC L64= > > ;; AUTHORITY SECTION: > pangaea.de. 21599 IN NS ns2.domaindiscount24.net. > pangaea.de. 21599 IN NS ns3.domaindiscount24.net. > pangaea.de. 21599 IN NS ns1.domaindiscount24.net. > pangaea.de. 21599 IN RRSIG NS 7 2 28800 20160109071640 > 20151226151023 > 12714 pangaea.de. > l7sVnSXwN21lXvsANvjVxGyeh3c3rxlmg3ctfAShdvZpS/otk7L/HN8p > O3sSJ83HFfl7QAmfoF/P3cy2yilmykJv3von/ojzXVeS3tpTAUzfALql > maoKds12FcjyLVJDgEzi0xKG/DTmm2KG1bZHzXPzMVb4beZnzFN5twLK W+g= > ram3pr4d5q9klnm2dsopmt3hjmua0mf6.pangaea.de. 3599 IN NSEC3 1 0 5 > 89D0BF16A5176B72 U1NCQMCLBNAMOFE2B186713NF2I82HUC CNAME > RRSIG > ram3pr4d5q9klnm2dsopmt3hjmua0mf6.pangaea.de. 3599 IN RRSIG NSEC3 7 > 3 > 3600 2016055643 20151228181431 12714 pangaea.de. > JuqEskBXSOC+3d+a2VPrlLlvQgMsiIa+duYpe/egYi4M9UdixtzDfYs2 > qWJpDqlsO3lf5Eeeh2bbrZudnYmjQ9q4i8viPZO2j+nGdDCASFNUXzHb > B7ynmS1Ba3393TAiCoYbPKbf5HURNRDjR3T6m4dUriYPGJM7mc6Q7Cu+ > MRM= > > > The 0skar.cz test domains have very long dates on the signature > expiration fields, which found a bug in that code. Having fixed that, > I can validate everything that Google DNS validates. > > Cheers, > > Simon. > > > > On 04/01/16 14:48, Uwe Schindler wrote: > > Hi, > > > > I found out that resolving of DNSSEC signed wildcard domains does > > not work correctly with dnsmasq. I think the problem is that it > > looks for a signature of the requested domain name and not the > > wildcard. > > > > The following fails: > > > > $ dig issues.pangaea.de > > > > ; <<>> DiG 9.9.5-9+deb8u4-Debian <<>> issues.pangaea.de ;; global > > options: +cmd ;; Got answer: ;; ->>HEADER<<- opcode: QUERY, status: > > SERVFAIL, id: 59252 ;; flags: qr rd ra; QUERY: 1, ANSWER: 0, > > AUTHORITY: 0, ADDITIONAL: 1 > > > > ;; OPT PSEUDOSECTION: ; EDNS: version: 0, flags: do; udp: 4096 ;; > > QUESTION SECTION: ;issues.pangaea.de. IN A > > > > ;; Query time: 18 msec ;; SERVER: 127.0.0.1#53(127.0.0.1) ;; WHEN: > > Mon Jan 04 15:43:42 CET 2016 ;; MSG SIZE rcvd: 46 > > > > > > The reason is: "issues.pangaea.de" is covered by a star domain > > "*.pangaea.de" that is correctly signed (tested from another server > > - not using dnsmasq): > > > > $ dig +dnssec *.pangaea.de > > > > ; <<>> DiG 9.8.1-P1 <<>> +dnssec '*.pangaea.de' ;; global options: > > +cmd ;; Got answer: ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, > > id: 8436 ;; flags: qr rd ra; QUERY: 1, ANSWER: 2, AUTHORITY: 4, > > ADDITIONAL: 1 > > > > ;; OPT PSEUDOSECTION: ; EDNS: version: 0, flags: do; udp: 4096 ;; > > QUESTION SECTION: ;*.pangaea.de. IN A > > > > ;; ANSWER SECTION: *.pangaea.de. 28790 IN A > > 134.1.2.171 *.pangaea.de. 28790 IN RRSIG A 7 2 > > 28800 20160109144508 20151226151023 12714 pangaea.de. > > jwQUt4OJRlBEE3PUF6cEWJA6gOLWPpBWYbJHLIkR4tdGJh/kmtOk7T9Q > > MlSbChj51bhkV6oCQ++OhrsogYJ9qFpcVz8kVlEEfs08/Z1kNBe/dg3m > > HaAiyVVwONdyfe6dSfcYR3ZrH1PBWuxHDdbO8zGI8xGThSuZiIi1WEFC L64= > > > > ;; AUTHORITY SECTION: pangaea.de. 28790 IN NS > > ns2.domaindiscount24.net. pangaea.de. 28790 IN > > NS ns3.domaindiscount24.net. pangaea.de. 28790 > > IN NS ns1.domaindiscount24.net. pangaea.de. > > 28790 IN RRSIG NS 7 2 28800 20160109071640 20151226151023 > > 12714 pangaea.de. > > l7sVnSXwN21lXvsANvjVxGyeh3c3rxlmg3ctfAShdvZpS/otk7L/HN8p > > O3sSJ83HFfl7QAmfoF/P3cy2yilmykJv3von/ojzXVeS3tpTAUzfALql > > maoKds12FcjyLVJDgEzi0xKG/DTmm2KG1bZHzXPzMVb4beZnzFN5twLK > W+g= > > > > ;; Query time: 0 msec ;; SERVER: 85.25.128.10#53(85.25.128.10) ;; > > WHEN: Mon Jan 4 14:42:43 2016 ;; MSG SIZE rcvd: 471 > > > > How should this be solved? This is another one where dnssec fails, > > so clearly a bug. > > > > There is a test page about exactly that case, which fails for me > > when resolving through dnsmasq: http://0skar.cz/dns/en/ > > > > Uwe > > > > - Uwe Schindler H.-H.-Meier-Allee 63, D-28213 Bremen > > http://www.thetaphi.de eMail: u...@thetaphi.de > > > > > > > > > > ___ Dnsmasq-
Re: [Dnsmasq-discuss] CPU spin in master
Hi, I'll try. Unfortunately I have to provoke the spinning somehow. I just installed the test version, was happy, and a few minutes back it was no longer responding. TOP showed 99% CPU. By the way, box is a VIA C7 standard x86 box (32 bits), not MIPS like Kevin's. Uwe - Uwe Schindler H.-H.-Meier-Allee 63, D-28213 Bremen http://www.thetaphi.de eMail: u...@thetaphi.de > -Original Message- > From: Simon Kelley [mailto:si...@thekelleys.org.uk] > Sent: Monday, January 04, 2016 6:04 PM > To: Uwe Schindler > Cc: dnsmasq-discuss@lists.thekelleys.org.uk > Subject: Re: [Dnsmasq-discuss] CPU spin in master > > -BEGIN PGP SIGNED MESSAGE- > Hash: SHA256 > > Yes, the fix is in test3. Can you build with debug symbols > > make CFLAGS=-g > > > and run under gdb, to find where it's spinning? > > > Cheers, > > Simon > > > On 04/01/16 17:01, Uwe Schindler wrote: > > Hi, > > > > ALARM: I compiled "2.76test3" and now it is spinning with 100% CPU > > on my box, box responds slow or not at all on DNS query. Was the > > fix included in "test3"? I updated from 2.75 to 2.76test3 because > > of the previously mentioned wildcard dnssec issue. > > > > Uwe > > > > - Uwe Schindler H.-H.-Meier-Allee 63, D-28213 Bremen > > http://www.thetaphi.de eMail: u...@thetaphi.de > > > > > >> -Original Message- From: Dnsmasq-discuss > >> [mailto:dnsmasq-discuss- boun...@lists.thekelleys.org.uk] On > >> Behalf Of Simon Kelley Sent: Monday, January 04, 2016 5:15 PM To: > >> dnsmasq-discuss@lists.thekelleys.org.uk Subject: Re: > >> [Dnsmasq-discuss] CPU spin in master > >> > > Think that one's fixed then :) Many thanks. > > > > > > Simon. > > > > > > On 03/01/16 10:42, Kevin Darbyshire-Bryant wrote: > Router survived the night. No obvious problems noted :-) > > -- Cheers, > > Kevin Sent from my phone, apologies for brevity, spelling & > top posting > > > On 2 Jan 2016, at 17:20, Kevin Darbyshire-Bryant > > wrote: > > > > > > > >> On 01/01/16 20:27, Simon Kelley wrote: > >>> On 01/01/16 11:28, Kevin Darbyshire-Bryant wrote: Hi > >>> Simon, > >>> > >>> So this is a pretty vague report of something lurking > >>> in very recent code.# > >> It's pretty good really. I stared at the ARP-caching code > >> and found a fault in the linked list code that could > >> introduce a cycle and create exactly the symptoms you're > >> seeing. > >> > >> > >> Git HEAD or 2.76test2 should do it. Please could you try > >> it? > > It's compiling as I type - will report back :-) > >> > >> > >> And many thanks for testing my new code! > > Well if we all played it safe and avoided the bleeding > > edge stuff nothing would get spotted & fixed would it :-) > > Someone has to try and I'd hardly regard my home router as > > life critical (although my niece would have a different > > opinion on that if she were visiting) > > > > Thanks, > > > > Kevin > > > > > > ___ > Dnsmasq- > > discuss > > mailing list Dnsmasq-discuss@lists.thekelleys.org.uk > > http://lists.thekelleys.org.uk/mailman/listinfo/dnsmasq-discuss > > > > > > > > > ___ Dnsmasq- > > discuss > > mailing list Dnsmasq-discuss@lists.thekelleys.org.uk > > http://lists.thekelleys.org.uk/mailman/listinfo/dnsmasq-discuss > >> > >> > > > ___ > >> Dnsmasq-discuss mailing list > >> Dnsmasq-discuss@lists.thekelleys.org.uk > >> http://lists.thekelleys.org.uk/mailman/listinfo/dnsmasq-discuss > > > > > -BEGIN PGP SIGNATURE- > Version: GnuPG v2.0.22 (GNU/Linux) > > iQIcBAEBCAAGBQJWiqX4AAoJEBXN2mrhkTWisoUP/0H9v94uMpBTdm19ySoL > H2EV > SWrq7uPuR7QHkJMILoyHZTLq4lk7N6SD0WkHWV9mxIZ5+J1y7PK1SSWBTAQ > VtpKD > xGlMfpmgEfAOk/eH1Txc3+WwRfKxXPu03DXBFLPlhQpwZSMgHZYngdP3ITlyC > 9ob > 41kgWUlM3z4mwe35m3GC/MKsXHF7ZYiFmpar2R+Lnwh8Q00cMFUnJs8PYbV > yk6Ql > uGqnrW4QnT+VemOHv2ZF6X9zWw63F2TtzJ1wzIItUC9biVn8PDpnr9ayH06UN > Rdo > 3Y8uHIMLp2hex28SuCpVyYPfiwbEm/44z1/Un7txx6x64Tv0AcgDscMDMQwW > LbPZ > VJhO05Mba9u0G/xAnu48MvvyAZo3aQ0M+n4LGUnXCI7Tv3iD1BBcKus2pqflV > uYG > QH4Z7aEnxfH+I+WHboPi1yY8zUcXKGlbZBAkEtJ5DMO/l5czYrz69xCrnift9Wi1 > NdqtOpj72nnNuSxfiQnBQ1FcjNR05iG4dD5Vdgash7phVPi839ipJ5NgSRFK+sG > N > 8/nRaOwAxluj2ZMnfVEs06fiikNa9Hjen8c3+x+DwkLVtmqHrVKeVRXleV67Rtn > x > uE7Xr93Cn3yPC3SsBMrsUKaZW2VAfaTCInJ7YFsFuogwbrSzDsHgxosRIPOnuS > wF > MSMtK6L+LnARO4qnby2o > =DZau > -END PGP SIGNATURE- ___ Dnsmasq-discuss mailing list Dnsmasq-discuss@lists.thekelleys.org.uk http://lists.thekelleys.org.uk/mailman/listinfo/dnsmasq-discuss
Re: [Dnsmasq-discuss] CPU spin in master
-BEGIN PGP SIGNED MESSAGE- Hash: SHA256 Apologies. Don't waste your time. I've managed to make git lose the update somehow. Will get test4 fixed ASAP. Cheers, Simon. On 04/01/16 17:07, Uwe Schindler wrote: > Hi, > > I'll try. Unfortunately I have to provoke the spinning somehow. I > just installed the test version, was happy, and a few minutes back > it was no longer responding. TOP showed 99% CPU. > > By the way, box is a VIA C7 standard x86 box (32 bits), not MIPS > like Kevin's. > > Uwe > > - Uwe Schindler H.-H.-Meier-Allee 63, D-28213 Bremen > http://www.thetaphi.de eMail: u...@thetaphi.de > > >> -Original Message- From: Simon Kelley >> [mailto:si...@thekelleys.org.uk] Sent: Monday, January 04, 2016 >> 6:04 PM To: Uwe Schindler Cc: >> dnsmasq-discuss@lists.thekelleys.org.uk Subject: Re: >> [Dnsmasq-discuss] CPU spin in master >> > Yes, the fix is in test3. Can you build with debug symbols > > make CFLAGS=-g > > > and run under gdb, to find where it's spinning? > > > Cheers, > > Simon > > > On 04/01/16 17:01, Uwe Schindler wrote: Hi, ALARM: I compiled "2.76test3" and now it is spinning with 100% CPU on my box, box responds slow or not at all on DNS query. Was the fix included in "test3"? I updated from 2.75 to 2.76test3 because of the previously mentioned wildcard dnssec issue. Uwe - Uwe Schindler H.-H.-Meier-Allee 63, D-28213 Bremen http://www.thetaphi.de eMail: u...@thetaphi.de > -Original Message- From: Dnsmasq-discuss > [mailto:dnsmasq-discuss- boun...@lists.thekelleys.org.uk] > On Behalf Of Simon Kelley Sent: Monday, January 04, 2016 > 5:15 PM To: dnsmasq-discuss@lists.thekelleys.org.uk > Subject: Re: [Dnsmasq-discuss] CPU spin in master > Think that one's fixed then :) Many thanks. Simon. On 03/01/16 10:42, Kevin Darbyshire-Bryant wrote: >>> Router survived the night. No obvious problems noted >>> :-) >>> >>> -- Cheers, >>> >>> Kevin Sent from my phone, apologies for brevity, >>> spelling & top posting >>> On 2 Jan 2016, at 17:20, Kevin Darbyshire-Bryant wrote: > On 01/01/16 20:27, Simon Kelley wrote: >> On 01/01/16 11:28, Kevin Darbyshire-Bryant wrote: >> Hi Simon, >> >> So this is a pretty vague report of something >> lurking in very recent code.# > It's pretty good really. I stared at the > ARP-caching code and found a fault in the linked > list code that could introduce a cycle and create > exactly the symptoms you're seeing. > > > Git HEAD or 2.76test2 should do it. Please could > you try it? It's compiling as I type - will report back :-) > > > And many thanks for testing my new code! Well if we all played it safe and avoided the bleeding edge stuff nothing would get spotted & fixed would it :-) Someone has to try and I'd hardly regard my home router as life critical (although my niece would have a different opinion on that if she were visiting) Thanks, Kevin ___ > Dnsmasq- discuss mailing list Dnsmasq-discuss@lists.thekelleys.org.uk http://lists.thekelleys.org.uk/mailman/listinfo/dnsmasq-discuss > ___ Dnsmasq- discuss mailing list Dnsmasq-discuss@lists.thekelleys.org.uk http://lists.thekelleys.org.uk/mailman/listinfo/dnsmasq-discuss > > > ___ > Dnsmasq-discuss mailing list > Dnsmasq-discuss@lists.thekelleys.org.uk > http://lists.thekelleys.org.uk/mailman/listinfo/dnsmasq-discuss > > > -BEGIN PGP SIGNATURE- Version: GnuPG v2.0.22 (GNU/Linux) iQIcBAEBCAAGBQJWiqd/AAoJEBXN2mrhkTWiYFEP/AoWYFbbItSysaxi7G+5AmBY FAQA6YTaM4f+JH4qwKAv4kglhookoe/qtggey2uvRILaY2IS3u+LKFYujoZ0kkeU xEiSdf7rQMpNmLHOaHh6VAuFclhDCOug+fmL6kgdM2Cu0Lv2O67UJNdJg5/P3e/R wbyjU4hNVpCKNeJk25nFr0Eapb7FQjNpMYNgFx7p5dfoap8Fi9vaGUo/MNumLEB6 E4llCMJ5rbOA+JPRi6Zz7ZxGv12Dc8OsDk8qH1zr39VmNXx7po100+9PBRWz7ncE endOLCgI18ucsaDmwo30+bO69PwbjWxO9DQdILu4J9XaYlpF08pwWeFoLmqIkZw4 nfHYUymL7CiQlrPVjMvG86BS3+XRA+6Puzktqwf4ivIJGEDrhSb1spre3lRqgfog yWKQGlyY8y7DszWfnrdDRda4XnwccSB1S1+b/D/fD/KDVs/UJTY/2rDolFap8jgA JNKtuJxThMuAYkCeSAUVkFGviNj7eQinkefJ4+gIUlQkmnZz+RhSuUT3fwA+CLf6 skmW8gxG0A2vG3IBA+r/bC0q53kOaLK1d5YGQhbLbM843HfMvEpYyyaiTqQRtUJQ F6LIbaSz7BoiYatPFLF0RKiPt3IcwE//kSWnQ4n09ORn9Jud4FOOUPYK6bDHICKG XXw9kWpUGqqxiL/JJWII =f0l/ -END PGP SIGNATURE- ___ Dnsmasq-discuss mai
Re: [Dnsmasq-discuss] CPU spin in master
-BEGIN PGP SIGNED MESSAGE- Hash: SHA256 Please use test4, which fixes the problem (again!) Cheers, Simon. On 04/01/16 17:07, Uwe Schindler wrote: > Hi, > > I'll try. Unfortunately I have to provoke the spinning somehow. I > just installed the test version, was happy, and a few minutes back > it was no longer responding. TOP showed 99% CPU. > > By the way, box is a VIA C7 standard x86 box (32 bits), not MIPS > like Kevin's. > > Uwe > > - Uwe Schindler H.-H.-Meier-Allee 63, D-28213 Bremen > http://www.thetaphi.de eMail: u...@thetaphi.de > > >> -Original Message- From: Simon Kelley >> [mailto:si...@thekelleys.org.uk] Sent: Monday, January 04, 2016 >> 6:04 PM To: Uwe Schindler Cc: >> dnsmasq-discuss@lists.thekelleys.org.uk Subject: Re: >> [Dnsmasq-discuss] CPU spin in master >> > Yes, the fix is in test3. Can you build with debug symbols > > make CFLAGS=-g > > > and run under gdb, to find where it's spinning? > > > Cheers, > > Simon > > > On 04/01/16 17:01, Uwe Schindler wrote: Hi, ALARM: I compiled "2.76test3" and now it is spinning with 100% CPU on my box, box responds slow or not at all on DNS query. Was the fix included in "test3"? I updated from 2.75 to 2.76test3 because of the previously mentioned wildcard dnssec issue. Uwe - Uwe Schindler H.-H.-Meier-Allee 63, D-28213 Bremen http://www.thetaphi.de eMail: u...@thetaphi.de > -Original Message- From: Dnsmasq-discuss > [mailto:dnsmasq-discuss- boun...@lists.thekelleys.org.uk] > On Behalf Of Simon Kelley Sent: Monday, January 04, 2016 > 5:15 PM To: dnsmasq-discuss@lists.thekelleys.org.uk > Subject: Re: [Dnsmasq-discuss] CPU spin in master > Think that one's fixed then :) Many thanks. Simon. On 03/01/16 10:42, Kevin Darbyshire-Bryant wrote: >>> Router survived the night. No obvious problems noted >>> :-) >>> >>> -- Cheers, >>> >>> Kevin Sent from my phone, apologies for brevity, >>> spelling & top posting >>> On 2 Jan 2016, at 17:20, Kevin Darbyshire-Bryant wrote: > On 01/01/16 20:27, Simon Kelley wrote: >> On 01/01/16 11:28, Kevin Darbyshire-Bryant wrote: >> Hi Simon, >> >> So this is a pretty vague report of something >> lurking in very recent code.# > It's pretty good really. I stared at the > ARP-caching code and found a fault in the linked > list code that could introduce a cycle and create > exactly the symptoms you're seeing. > > > Git HEAD or 2.76test2 should do it. Please could > you try it? It's compiling as I type - will report back :-) > > > And many thanks for testing my new code! Well if we all played it safe and avoided the bleeding edge stuff nothing would get spotted & fixed would it :-) Someone has to try and I'd hardly regard my home router as life critical (although my niece would have a different opinion on that if she were visiting) Thanks, Kevin ___ > Dnsmasq- discuss mailing list Dnsmasq-discuss@lists.thekelleys.org.uk http://lists.thekelleys.org.uk/mailman/listinfo/dnsmasq-discuss > ___ Dnsmasq- discuss mailing list Dnsmasq-discuss@lists.thekelleys.org.uk http://lists.thekelleys.org.uk/mailman/listinfo/dnsmasq-discuss > > > ___ > Dnsmasq-discuss mailing list > Dnsmasq-discuss@lists.thekelleys.org.uk > http://lists.thekelleys.org.uk/mailman/listinfo/dnsmasq-discuss > > > -BEGIN PGP SIGNATURE- Version: GnuPG v2.0.22 (GNU/Linux) iQIcBAEBCAAGBQJWiqmcAAoJEBXN2mrhkTWimYMQAI/P0McloHDUNTkh5Nlclb3y nutfRAn9mIzuKZCxdEg+ZdbGyHuZZsJe/KXnXIh5Z12blcBsVQ1VJ64Y5Q62rUkg vuxLVgvToXYfUzLJSwQqs7TJJ0jH0mydyD3rXkoCY+x76IcX0d4d47UqQYce+vs8 ppzqxIN2Wi1AuHYrpSCHU0FXUjqqs7fGL3l7RuV8Lsmw6Hz4sksNuwuG6KZkuc3P kmQJcTcXl9Ew0aXeR66MsS0rtN7UUJo0M/DYhijhgmx8MAnGYyA0c6PjNn7BLSMq hL1QasBPs2Urb9jYlBi+1LrBB6O5O6vLo/MlqEyQKtAsZUgPXORJeYDFVWuM6F+N R5F/Qd1vd+6pvxgCagN2TN9Zvizev29HpO6YSpZ8zGIxuFHpWh9dQQEKnWheE0lk 4SdQWLOYrH6ge3zJC6z74MxyNasB4Hmau2Ttwl7/Bmye2rz7vqOmgx4Gfep1ZJr5 kqIDPWn8EPpjFnTR/hdxoR0S9LTHVZpHTKERVHtpJHni9P4x2LqVuAmvysWdSFDY IP7fRRm3cVvxI+Y3a73f1uerBb/80k4fWAFg7tPTpZDD98FdduRT4zUqziYVrHuE aKEF5iDN6QHlan3Uj/QhmAsDfjgAgDs5fQWnBa2M2QH/F8CIXefz31UcpKkr0yB1 IFYcFLCIesL4yt1srpX2 =8frm -END PGP SIGNATURE- ___ Dnsmasq-discuss mailing list Dnsmasq-discuss@lists.thekelleys.org.uk http://list
Re: [Dnsmasq-discuss] CPU spin in master
-BEGIN PGP SIGNED MESSAGE- Hash: SHA256 Yes, the fix is in test3. Can you build with debug symbols make CFLAGS=-g and run under gdb, to find where it's spinning? Cheers, Simon On 04/01/16 17:01, Uwe Schindler wrote: > Hi, > > ALARM: I compiled "2.76test3" and now it is spinning with 100% CPU > on my box, box responds slow or not at all on DNS query. Was the > fix included in "test3"? I updated from 2.75 to 2.76test3 because > of the previously mentioned wildcard dnssec issue. > > Uwe > > - Uwe Schindler H.-H.-Meier-Allee 63, D-28213 Bremen > http://www.thetaphi.de eMail: u...@thetaphi.de > > >> -Original Message- From: Dnsmasq-discuss >> [mailto:dnsmasq-discuss- boun...@lists.thekelleys.org.uk] On >> Behalf Of Simon Kelley Sent: Monday, January 04, 2016 5:15 PM To: >> dnsmasq-discuss@lists.thekelleys.org.uk Subject: Re: >> [Dnsmasq-discuss] CPU spin in master >> > Think that one's fixed then :) Many thanks. > > > Simon. > > > On 03/01/16 10:42, Kevin Darbyshire-Bryant wrote: Router survived the night. No obvious problems noted :-) -- Cheers, Kevin Sent from my phone, apologies for brevity, spelling & top posting > On 2 Jan 2016, at 17:20, Kevin Darbyshire-Bryant > wrote: > > > >> On 01/01/16 20:27, Simon Kelley wrote: >>> On 01/01/16 11:28, Kevin Darbyshire-Bryant wrote: Hi >>> Simon, >>> >>> So this is a pretty vague report of something lurking >>> in very recent code.# >> It's pretty good really. I stared at the ARP-caching code >> and found a fault in the linked list code that could >> introduce a cycle and create exactly the symptoms you're >> seeing. >> >> >> Git HEAD or 2.76test2 should do it. Please could you try >> it? > It's compiling as I type - will report back :-) >> >> >> And many thanks for testing my new code! > Well if we all played it safe and avoided the bleeding > edge stuff nothing would get spotted & fixed would it :-) > Someone has to try and I'd hardly regard my home router as > life critical (although my niece would have a different > opinion on that if she were visiting) > > Thanks, > > Kevin > > > ___ Dnsmasq- > discuss > mailing list Dnsmasq-discuss@lists.thekelleys.org.uk > http://lists.thekelleys.org.uk/mailman/listinfo/dnsmasq-discuss > > > > ___ Dnsmasq- > discuss > mailing list Dnsmasq-discuss@lists.thekelleys.org.uk > http://lists.thekelleys.org.uk/mailman/listinfo/dnsmasq-discuss >> >> > ___ >> Dnsmasq-discuss mailing list >> Dnsmasq-discuss@lists.thekelleys.org.uk >> http://lists.thekelleys.org.uk/mailman/listinfo/dnsmasq-discuss > > -BEGIN PGP SIGNATURE- Version: GnuPG v2.0.22 (GNU/Linux) iQIcBAEBCAAGBQJWiqX4AAoJEBXN2mrhkTWisoUP/0H9v94uMpBTdm19ySoLH2EV SWrq7uPuR7QHkJMILoyHZTLq4lk7N6SD0WkHWV9mxIZ5+J1y7PK1SSWBTAQVtpKD xGlMfpmgEfAOk/eH1Txc3+WwRfKxXPu03DXBFLPlhQpwZSMgHZYngdP3ITlyC9ob 41kgWUlM3z4mwe35m3GC/MKsXHF7ZYiFmpar2R+Lnwh8Q00cMFUnJs8PYbVyk6Ql uGqnrW4QnT+VemOHv2ZF6X9zWw63F2TtzJ1wzIItUC9biVn8PDpnr9ayH06UNRdo 3Y8uHIMLp2hex28SuCpVyYPfiwbEm/44z1/Un7txx6x64Tv0AcgDscMDMQwWLbPZ VJhO05Mba9u0G/xAnu48MvvyAZo3aQ0M+n4LGUnXCI7Tv3iD1BBcKus2pqflVuYG QH4Z7aEnxfH+I+WHboPi1yY8zUcXKGlbZBAkEtJ5DMO/l5czYrz69xCrnift9Wi1 NdqtOpj72nnNuSxfiQnBQ1FcjNR05iG4dD5Vdgash7phVPi839ipJ5NgSRFK+sGN 8/nRaOwAxluj2ZMnfVEs06fiikNa9Hjen8c3+x+DwkLVtmqHrVKeVRXleV67Rtnx uE7Xr93Cn3yPC3SsBMrsUKaZW2VAfaTCInJ7YFsFuogwbrSzDsHgxosRIPOnuSwF MSMtK6L+LnARO4qnby2o =DZau -END PGP SIGNATURE- ___ Dnsmasq-discuss mailing list Dnsmasq-discuss@lists.thekelleys.org.uk http://lists.thekelleys.org.uk/mailman/listinfo/dnsmasq-discuss
Re: [Dnsmasq-discuss] CPU spin in master
Hi, ALARM: I compiled "2.76test3" and now it is spinning with 100% CPU on my box, box responds slow or not at all on DNS query. Was the fix included in "test3"? I updated from 2.75 to 2.76test3 because of the previously mentioned wildcard dnssec issue. Uwe - Uwe Schindler H.-H.-Meier-Allee 63, D-28213 Bremen http://www.thetaphi.de eMail: u...@thetaphi.de > -Original Message- > From: Dnsmasq-discuss [mailto:dnsmasq-discuss- > boun...@lists.thekelleys.org.uk] On Behalf Of Simon Kelley > Sent: Monday, January 04, 2016 5:15 PM > To: dnsmasq-discuss@lists.thekelleys.org.uk > Subject: Re: [Dnsmasq-discuss] CPU spin in master > > -BEGIN PGP SIGNED MESSAGE- > Hash: SHA256 > > Think that one's fixed then :) Many thanks. > > > Simon. > > > On 03/01/16 10:42, Kevin Darbyshire-Bryant wrote: > > Router survived the night. No obvious problems noted :-) > > > > -- Cheers, > > > > Kevin Sent from my phone, apologies for brevity, spelling & top > > posting > > > >> On 2 Jan 2016, at 17:20, Kevin Darbyshire-Bryant > >> wrote: > >> > >> > >> > >>> On 01/01/16 20:27, Simon Kelley wrote: > On 01/01/16 11:28, Kevin Darbyshire-Bryant wrote: Hi Simon, > > So this is a pretty vague report of something lurking in very > recent code.# > >>> It's pretty good really. I stared at the ARP-caching code and > >>> found a fault in the linked list code that could introduce a > >>> cycle and create exactly the symptoms you're seeing. > >>> > >>> > >>> Git HEAD or 2.76test2 should do it. Please could you try it? > >> It's compiling as I type - will report back :-) > >>> > >>> > >>> And many thanks for testing my new code! > >> Well if we all played it safe and avoided the bleeding edge > >> stuff nothing would get spotted & fixed would it :-) Someone has > >> to try and I'd hardly regard my home router as life critical > >> (although my niece would have a different opinion on that if she > >> were visiting) > >> > >> Thanks, > >> > >> Kevin > >> > >> > >> ___ Dnsmasq- > discuss > >> mailing list Dnsmasq-discuss@lists.thekelleys.org.uk > >> http://lists.thekelleys.org.uk/mailman/listinfo/dnsmasq-discuss > >> > >> > >> ___ Dnsmasq- > discuss > >> mailing list Dnsmasq-discuss@lists.thekelleys.org.uk > >> http://lists.thekelleys.org.uk/mailman/listinfo/dnsmasq-discuss > -BEGIN PGP SIGNATURE- > Version: GnuPG v2.0.22 (GNU/Linux) > > iQIcBAEBCAAGBQJWipp4AAoJEBXN2mrhkTWiOs4P/0Vm32VFtw9CYnMvNTR > eOcDu > UTNWgFHtE3cVbgiuUqTcuU0h7txR5lCfusoA5P3ed1Q37XcoNr6Vmgk6gaVk6q > y5 > dG0zNOb2r+hYiP6HyxG0tL0DluA5XOA9eb7T6BEN7KfvwS4ZRKrPOVK0sQXu2T > IL > YNmho2nixjjMDj51IbjovFhJaAFCipZipSS+OwsdpC+KJ63upraccP/9/6+4DX9R > rq1l8tJZhkDWygESHsd+Wsxtfe/4oOvl4QSkOakIsse0kurXjLZiA7DPUaObOeG0 > gVTM+rXdOFmeWKFUPlOb18ZhYEUPZCcKgSvfzy7Aj2wJ5l3VR5YQJ+wKWQFl > gVRA > MDJK/2y8eBOrBZOxNzcX41/33CE2fh2mKNaeRsBBf5vhYsMXq5QKePCdwDhy > vHN6 > hLUy1Um0VytaWuJE6tbWLrH3Y2DPNVp4ZJWuBz3h6uLBE/eeG4ZAnFtIwM0j > Bjd+ > kVBXOkTjhYdnYpWS0MRus0v3kpy4iUSiELzyjUOW+97oZbtPWhDVeL0mxqyF > bmj3 > gzbzgfS+K9ApJbEdUt3THwYShRRTllq3YSdUPE2aFPmDC56rVdUapCZMtLapIup > 9 > tRiTTp30uCYDp7pIPUJHFByCEGLWr460ZXKpJxzsINcwScY/kTe5R6VcZCDpiCFR > VK5MYc4AFdfXIXSDIRKb > =u1u4 > -END PGP SIGNATURE- > > ___ > Dnsmasq-discuss mailing list > Dnsmasq-discuss@lists.thekelleys.org.uk > http://lists.thekelleys.org.uk/mailman/listinfo/dnsmasq-discuss ___ Dnsmasq-discuss mailing list Dnsmasq-discuss@lists.thekelleys.org.uk http://lists.thekelleys.org.uk/mailman/listinfo/dnsmasq-discuss
Re: [Dnsmasq-discuss] Wildcard Domain resolving does not work with DNSSEC
On 04/01/2016 16:05, Uwe Schindler wrote: > Hi, > > Was there a change in dnsmasq related to this? Would be good to get some > feedback. I'll try this version now. Currently I am running 2.75 (Debian > testing pkg 2.75-1) Yes. BIG changes. See the git log: http://thekelleys.org.uk/gitweb/?p=dnsmasq.git;a=summary In fact I see I am far behind the times - test3 out 12 minutes ago :-) > Do you have dnssec enabled? Yes. Kevin ___ Dnsmasq-discuss mailing list Dnsmasq-discuss@lists.thekelleys.org.uk http://lists.thekelleys.org.uk/mailman/listinfo/dnsmasq-discuss
Re: [Dnsmasq-discuss] Wildcard Domain resolving does not work with DNSSEC
Hi, Was there a change in dnsmasq related to this? Would be good to get some feedback. I'll try this version now. Currently I am running 2.75 (Debian testing pkg 2.75-1) Do you have dnssec enabled? Uwe - Uwe Schindler H.-H.-Meier-Allee 63, D-28213 Bremen http://www.thetaphi.de eMail: u...@thetaphi.de > -Original Message- > From: Dnsmasq-discuss [mailto:dnsmasq-discuss- > boun...@lists.thekelleys.org.uk] On Behalf Of Kevin Darbyshire-Bryant > Sent: Monday, January 04, 2016 4:40 PM > To: dnsmasq-discuss@lists.thekelleys.org.uk > Subject: Re: [Dnsmasq-discuss] Wildcard Domain resolving does not work > with DNSSEC > > > > On 04/01/16 14:48, Uwe Schindler wrote: > > Hi, > > > > I found out that resolving of DNSSEC signed wildcard domains does not > work correctly with dnsmasq. I think the problem is that it looks for a > signature of the requested domain name and not the wildcard. > > > > > > > > ;; Query time: 0 msec > > ;; SERVER: 85.25.128.10#53(85.25.128.10) > > ;; WHEN: Mon Jan 4 14:42:43 2016 > > ;; MSG SIZE rcvd: 471 > > > > How should this be solved? This is another one where dnssec fails, so > clearly a bug. > > > > There is a test page about exactly that case, which fails for me when > resolving through dnsmasq: http://0skar.cz/dns/en/ > > > > Uwe > > > > - > > Uwe Schindler > > H.-H.-Meier-Allee 63, D-28213 Bremen > > http://www.thetaphi.de > > eMail: u...@thetaphi.de > > > > > I just tried that page using dnsmasq276test2 and got 'green' for all tests. > > Kevin > ___ Dnsmasq-discuss mailing list Dnsmasq-discuss@lists.thekelleys.org.uk http://lists.thekelleys.org.uk/mailman/listinfo/dnsmasq-discuss
Re: [Dnsmasq-discuss] Wildcard Domain resolving does not work with DNSSEC
Hi, Yeah, works. Just rebuilt debian package with "2.76test3" - all fine now. It could be that this has fixed it: http://thekelleys.org.uk/gitweb/?p=dnsmasq.git;a=commit;h=13480e8c2a0e170a5e070f82c46e6ae00c464a89 (although this talks about a wildcard pointing to a CNAME). Maybe Simon can inform us which commit fixed this issue. Thanks for the quick reply! Uwe - Uwe Schindler H.-H.-Meier-Allee 63, D-28213 Bremen http://www.thetaphi.de eMail: u...@thetaphi.de > -Original Message- > From: Kevin Darbyshire-Bryant [mailto:ke...@darbyshire-bryant.me.uk] > Sent: Monday, January 04, 2016 5:19 PM > To: Uwe Schindler > Cc: dnsmasq-discuss@lists.thekelleys.org.uk > Subject: Re: [Dnsmasq-discuss] Wildcard Domain resolving does not work > with DNSSEC > > > > On 04/01/2016 16:05, Uwe Schindler wrote: > > Hi, > > > > Was there a change in dnsmasq related to this? Would be good to get some > feedback. I'll try this version now. Currently I am running 2.75 (Debian > testing > pkg 2.75-1) > Yes. BIG changes. See the git log: > http://thekelleys.org.uk/gitweb/?p=dnsmasq.git;a=summary > > In fact I see I am far behind the times - test3 out 12 minutes ago :-) > > Do you have dnssec enabled? > Yes. > > Kevin ___ Dnsmasq-discuss mailing list Dnsmasq-discuss@lists.thekelleys.org.uk http://lists.thekelleys.org.uk/mailman/listinfo/dnsmasq-discuss
Re: [Dnsmasq-discuss] CPU spin in master
-BEGIN PGP SIGNED MESSAGE- Hash: SHA256 Think that one's fixed then :) Many thanks. Simon. On 03/01/16 10:42, Kevin Darbyshire-Bryant wrote: > Router survived the night. No obvious problems noted :-) > > -- Cheers, > > Kevin Sent from my phone, apologies for brevity, spelling & top > posting > >> On 2 Jan 2016, at 17:20, Kevin Darbyshire-Bryant >> wrote: >> >> >> >>> On 01/01/16 20:27, Simon Kelley wrote: On 01/01/16 11:28, Kevin Darbyshire-Bryant wrote: Hi Simon, So this is a pretty vague report of something lurking in very recent code.# >>> It's pretty good really. I stared at the ARP-caching code and >>> found a fault in the linked list code that could introduce a >>> cycle and create exactly the symptoms you're seeing. >>> >>> >>> Git HEAD or 2.76test2 should do it. Please could you try it? >> It's compiling as I type - will report back :-) >>> >>> >>> And many thanks for testing my new code! >> Well if we all played it safe and avoided the bleeding edge >> stuff nothing would get spotted & fixed would it :-) Someone has >> to try and I'd hardly regard my home router as life critical >> (although my niece would have a different opinion on that if she >> were visiting) >> >> Thanks, >> >> Kevin >> >> >> ___ Dnsmasq-discuss >> mailing list Dnsmasq-discuss@lists.thekelleys.org.uk >> http://lists.thekelleys.org.uk/mailman/listinfo/dnsmasq-discuss >> >> >> ___ Dnsmasq-discuss >> mailing list Dnsmasq-discuss@lists.thekelleys.org.uk >> http://lists.thekelleys.org.uk/mailman/listinfo/dnsmasq-discuss -BEGIN PGP SIGNATURE- Version: GnuPG v2.0.22 (GNU/Linux) iQIcBAEBCAAGBQJWipp4AAoJEBXN2mrhkTWiOs4P/0Vm32VFtw9CYnMvNTReOcDu UTNWgFHtE3cVbgiuUqTcuU0h7txR5lCfusoA5P3ed1Q37XcoNr6Vmgk6gaVk6qy5 dG0zNOb2r+hYiP6HyxG0tL0DluA5XOA9eb7T6BEN7KfvwS4ZRKrPOVK0sQXu2TIL YNmho2nixjjMDj51IbjovFhJaAFCipZipSS+OwsdpC+KJ63upraccP/9/6+4DX9R rq1l8tJZhkDWygESHsd+Wsxtfe/4oOvl4QSkOakIsse0kurXjLZiA7DPUaObOeG0 gVTM+rXdOFmeWKFUPlOb18ZhYEUPZCcKgSvfzy7Aj2wJ5l3VR5YQJ+wKWQFlgVRA MDJK/2y8eBOrBZOxNzcX41/33CE2fh2mKNaeRsBBf5vhYsMXq5QKePCdwDhyvHN6 hLUy1Um0VytaWuJE6tbWLrH3Y2DPNVp4ZJWuBz3h6uLBE/eeG4ZAnFtIwM0jBjd+ kVBXOkTjhYdnYpWS0MRus0v3kpy4iUSiELzyjUOW+97oZbtPWhDVeL0mxqyFbmj3 gzbzgfS+K9ApJbEdUt3THwYShRRTllq3YSdUPE2aFPmDC56rVdUapCZMtLapIup9 tRiTTp30uCYDp7pIPUJHFByCEGLWr460ZXKpJxzsINcwScY/kTe5R6VcZCDpiCFR VK5MYc4AFdfXIXSDIRKb =u1u4 -END PGP SIGNATURE- ___ Dnsmasq-discuss mailing list Dnsmasq-discuss@lists.thekelleys.org.uk http://lists.thekelleys.org.uk/mailman/listinfo/dnsmasq-discuss
Re: [Dnsmasq-discuss] Wildcard Domain resolving does not work with DNSSEC
-BEGIN PGP SIGNED MESSAGE- Hash: SHA256 What release are you using, Uwe. I just tried the git-HEAD code, and pangaea.de is OK, both issues.pangea.de, which is a genuine record, and simon.pangea.de which is an expansion of the wildcard ;simon.pangaea.de. IN A ;; ANSWER SECTION: simon.pangaea.de. 21599 IN A 134.1.2.171 simon.pangaea.de. 21599 IN RRSIG A 7 2 28800 20160109144508 20151226151023 12714 pangaea.de. jwQUt4OJRlBEE3PUF6cEWJA6gOLWPpBWYbJHLIkR4tdGJh/kmtOk7T9Q MlSbChj51bhkV6oCQ++OhrsogYJ9qFpcVz8kVlEEfs08/Z1kNBe/dg3m HaAiyVVwONdyfe6dSfcYR3ZrH1PBWuxHDdbO8zGI8xGThSuZiIi1WEFC L64= ;; AUTHORITY SECTION: pangaea.de. 21599 IN NS ns2.domaindiscount24.net. pangaea.de. 21599 IN NS ns3.domaindiscount24.net. pangaea.de. 21599 IN NS ns1.domaindiscount24.net. pangaea.de. 21599 IN RRSIG NS 7 2 28800 20160109071640 20151226151023 12714 pangaea.de. l7sVnSXwN21lXvsANvjVxGyeh3c3rxlmg3ctfAShdvZpS/otk7L/HN8p O3sSJ83HFfl7QAmfoF/P3cy2yilmykJv3von/ojzXVeS3tpTAUzfALql maoKds12FcjyLVJDgEzi0xKG/DTmm2KG1bZHzXPzMVb4beZnzFN5twLK W+g= ram3pr4d5q9klnm2dsopmt3hjmua0mf6.pangaea.de. 3599 IN NSEC3 1 0 5 89D0BF16A5176B72 U1NCQMCLBNAMOFE2B186713NF2I82HUC CNAME RRSIG ram3pr4d5q9klnm2dsopmt3hjmua0mf6.pangaea.de. 3599 IN RRSIG NSEC3 7 3 3600 2016055643 20151228181431 12714 pangaea.de. JuqEskBXSOC+3d+a2VPrlLlvQgMsiIa+duYpe/egYi4M9UdixtzDfYs2 qWJpDqlsO3lf5Eeeh2bbrZudnYmjQ9q4i8viPZO2j+nGdDCASFNUXzHb B7ynmS1Ba3393TAiCoYbPKbf5HURNRDjR3T6m4dUriYPGJM7mc6Q7Cu+ MRM= The 0skar.cz test domains have very long dates on the signature expiration fields, which found a bug in that code. Having fixed that, I can validate everything that Google DNS validates. Cheers, Simon. On 04/01/16 14:48, Uwe Schindler wrote: > Hi, > > I found out that resolving of DNSSEC signed wildcard domains does > not work correctly with dnsmasq. I think the problem is that it > looks for a signature of the requested domain name and not the > wildcard. > > The following fails: > > $ dig issues.pangaea.de > > ; <<>> DiG 9.9.5-9+deb8u4-Debian <<>> issues.pangaea.de ;; global > options: +cmd ;; Got answer: ;; ->>HEADER<<- opcode: QUERY, status: > SERVFAIL, id: 59252 ;; flags: qr rd ra; QUERY: 1, ANSWER: 0, > AUTHORITY: 0, ADDITIONAL: 1 > > ;; OPT PSEUDOSECTION: ; EDNS: version: 0, flags: do; udp: 4096 ;; > QUESTION SECTION: ;issues.pangaea.de. IN A > > ;; Query time: 18 msec ;; SERVER: 127.0.0.1#53(127.0.0.1) ;; WHEN: > Mon Jan 04 15:43:42 CET 2016 ;; MSG SIZE rcvd: 46 > > > The reason is: "issues.pangaea.de" is covered by a star domain > "*.pangaea.de" that is correctly signed (tested from another server > - not using dnsmasq): > > $ dig +dnssec *.pangaea.de > > ; <<>> DiG 9.8.1-P1 <<>> +dnssec '*.pangaea.de' ;; global options: > +cmd ;; Got answer: ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, > id: 8436 ;; flags: qr rd ra; QUERY: 1, ANSWER: 2, AUTHORITY: 4, > ADDITIONAL: 1 > > ;; OPT PSEUDOSECTION: ; EDNS: version: 0, flags: do; udp: 4096 ;; > QUESTION SECTION: ;*.pangaea.de. IN A > > ;; ANSWER SECTION: *.pangaea.de. 28790 IN A > 134.1.2.171 *.pangaea.de. 28790 IN RRSIG A 7 2 > 28800 20160109144508 20151226151023 12714 pangaea.de. > jwQUt4OJRlBEE3PUF6cEWJA6gOLWPpBWYbJHLIkR4tdGJh/kmtOk7T9Q > MlSbChj51bhkV6oCQ++OhrsogYJ9qFpcVz8kVlEEfs08/Z1kNBe/dg3m > HaAiyVVwONdyfe6dSfcYR3ZrH1PBWuxHDdbO8zGI8xGThSuZiIi1WEFC L64= > > ;; AUTHORITY SECTION: pangaea.de. 28790 IN NS > ns2.domaindiscount24.net. pangaea.de. 28790 IN > NS ns3.domaindiscount24.net. pangaea.de. 28790 > IN NS ns1.domaindiscount24.net. pangaea.de. > 28790 IN RRSIG NS 7 2 28800 20160109071640 20151226151023 > 12714 pangaea.de. > l7sVnSXwN21lXvsANvjVxGyeh3c3rxlmg3ctfAShdvZpS/otk7L/HN8p > O3sSJ83HFfl7QAmfoF/P3cy2yilmykJv3von/ojzXVeS3tpTAUzfALql > maoKds12FcjyLVJDgEzi0xKG/DTmm2KG1bZHzXPzMVb4beZnzFN5twLK W+g= > > ;; Query time: 0 msec ;; SERVER: 85.25.128.10#53(85.25.128.10) ;; > WHEN: Mon Jan 4 14:42:43 2016 ;; MSG SIZE rcvd: 471 > > How should this be solved? This is another one where dnssec fails, > so clearly a bug. > > There is a test page about exactly that case, which fails for me > when resolving through dnsmasq: http://0skar.cz/dns/en/ > > Uwe > > - Uwe Schindler H.-H.-Meier-Allee 63, D-28213 Bremen > http://www.thetaphi.de eMail: u...@thetaphi.de > > > > > ___ Dnsmasq-discuss > mailing list Dnsmasq-discuss@lists.thekelleys.org.uk > http://lists.thekelleys.org.uk/mailman/listinfo/dnsmasq-discuss > -BEGIN PGP SIGNATURE- Version: GnuPG v2.0.22 (GNU/Linux) iQIcBAEBCAAGBQJWipXSAAoJEBXN2mrhkTWiKtAQAJ3P1xuzpuF6QUGbTQHErbJ/ ypClZDMNRWuVy0vCF8rQjZoR1xlJU5RMawUzeXmqHgfOg1v148vyZWwG/7ECTfH+ zHziB7Fi0D+lo6fwXmFMMz7L0fXRmyK1YIvQ98+rJoSImV0H8eXJxyJz
Re: [Dnsmasq-discuss] Wildcard Domain resolving does not work with DNSSEC
On 04/01/16 14:48, Uwe Schindler wrote: > Hi, > > I found out that resolving of DNSSEC signed wildcard domains does not work > correctly with dnsmasq. I think the problem is that it looks for a signature > of the requested domain name and not the wildcard. > > > > ;; Query time: 0 msec > ;; SERVER: 85.25.128.10#53(85.25.128.10) > ;; WHEN: Mon Jan 4 14:42:43 2016 > ;; MSG SIZE rcvd: 471 > > How should this be solved? This is another one where dnssec fails, so clearly > a bug. > > There is a test page about exactly that case, which fails for me when > resolving through dnsmasq: http://0skar.cz/dns/en/ > > Uwe > > - > Uwe Schindler > H.-H.-Meier-Allee 63, D-28213 Bremen > http://www.thetaphi.de > eMail: u...@thetaphi.de > > I just tried that page using dnsmasq276test2 and got 'green' for all tests. Kevin smime.p7s Description: S/MIME Cryptographic Signature ___ Dnsmasq-discuss mailing list Dnsmasq-discuss@lists.thekelleys.org.uk http://lists.thekelleys.org.uk/mailman/listinfo/dnsmasq-discuss
Re: [Dnsmasq-discuss] Wildcard Domain resolving does not work with DNSSEC
Please note: I fixed the example domain to have a real A record. Try any other fake name instead: e.g., "dummy.pangaea.de", also referring to wildcard domain. Uwe - Uwe Schindler H.-H.-Meier-Allee 63, D-28213 Bremen http://www.thetaphi.de eMail: u...@thetaphi.de > -Original Message- > From: Uwe Schindler [mailto:u...@thetaphi.de] > Sent: Monday, January 04, 2016 3:49 PM > To: dnsmasq-discuss@lists.thekelleys.org.uk > Subject: Wildcard Domain resolving does not work with DNSSEC > > Hi, > > I found out that resolving of DNSSEC signed wildcard domains does not work > correctly with dnsmasq. I think the problem is that it looks for a signature > of > the requested domain name and not the wildcard. > > The following fails: > > $ dig issues.pangaea.de > > ; <<>> DiG 9.9.5-9+deb8u4-Debian <<>> issues.pangaea.de > ;; global options: +cmd > ;; Got answer: > ;; ->>HEADER<<- opcode: QUERY, status: SERVFAIL, id: 59252 > ;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 1 > > ;; OPT PSEUDOSECTION: > ; EDNS: version: 0, flags: do; udp: 4096 > ;; QUESTION SECTION: > ;issues.pangaea.de. IN A > > ;; Query time: 18 msec > ;; SERVER: 127.0.0.1#53(127.0.0.1) > ;; WHEN: Mon Jan 04 15:43:42 CET 2016 > ;; MSG SIZE rcvd: 46 > > > The reason is: "issues.pangaea.de" is covered by a star domain > "*.pangaea.de" that is correctly signed (tested from another server - not > using dnsmasq): > > $ dig +dnssec *.pangaea.de > > ; <<>> DiG 9.8.1-P1 <<>> +dnssec '*.pangaea.de' > ;; global options: +cmd > ;; Got answer: > ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 8436 > ;; flags: qr rd ra; QUERY: 1, ANSWER: 2, AUTHORITY: 4, ADDITIONAL: 1 > > ;; OPT PSEUDOSECTION: > ; EDNS: version: 0, flags: do; udp: 4096 > ;; QUESTION SECTION: > ;*.pangaea.de. IN A > > ;; ANSWER SECTION: > *.pangaea.de. 28790 IN A 134.1.2.171 > *.pangaea.de. 28790 IN RRSIG A 7 2 28800 20160109144508 > 20151226151023 12714 pangaea.de. > jwQUt4OJRlBEE3PUF6cEWJA6gOLWPpBWYbJHLIkR4tdGJh/kmtOk7T9Q > MlSbChj51bhkV6oCQ++OhrsogYJ9qFpcVz8kVlEEfs08/Z1kNBe/dg3m > HaAiyVVwONdyfe6dSfcYR3ZrH1PBWuxHDdbO8zGI8xGThSuZiIi1WEFC L64= > > ;; AUTHORITY SECTION: > pangaea.de. 28790 IN NS ns2.domaindiscount24.net. > pangaea.de. 28790 IN NS ns3.domaindiscount24.net. > pangaea.de. 28790 IN NS ns1.domaindiscount24.net. > pangaea.de. 28790 IN RRSIG NS 7 2 28800 20160109071640 > 20151226151023 12714 pangaea.de. > l7sVnSXwN21lXvsANvjVxGyeh3c3rxlmg3ctfAShdvZpS/otk7L/HN8p > O3sSJ83HFfl7QAmfoF/P3cy2yilmykJv3von/ojzXVeS3tpTAUzfALql > maoKds12FcjyLVJDgEzi0xKG/DTmm2KG1bZHzXPzMVb4beZnzFN5twLK W+g= > > ;; Query time: 0 msec > ;; SERVER: 85.25.128.10#53(85.25.128.10) > ;; WHEN: Mon Jan 4 14:42:43 2016 > ;; MSG SIZE rcvd: 471 > > How should this be solved? This is another one where dnssec fails, so clearly > a bug. > > There is a test page about exactly that case, which fails for me when > resolving through dnsmasq: http://0skar.cz/dns/en/ > > Uwe > > - > Uwe Schindler > H.-H.-Meier-Allee 63, D-28213 Bremen > http://www.thetaphi.de > eMail: u...@thetaphi.de > ___ Dnsmasq-discuss mailing list Dnsmasq-discuss@lists.thekelleys.org.uk http://lists.thekelleys.org.uk/mailman/listinfo/dnsmasq-discuss
[Dnsmasq-discuss] Wildcard Domain resolving does not work with DNSSEC
Hi, I found out that resolving of DNSSEC signed wildcard domains does not work correctly with dnsmasq. I think the problem is that it looks for a signature of the requested domain name and not the wildcard. The following fails: $ dig issues.pangaea.de ; <<>> DiG 9.9.5-9+deb8u4-Debian <<>> issues.pangaea.de ;; global options: +cmd ;; Got answer: ;; ->>HEADER<<- opcode: QUERY, status: SERVFAIL, id: 59252 ;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 1 ;; OPT PSEUDOSECTION: ; EDNS: version: 0, flags: do; udp: 4096 ;; QUESTION SECTION: ;issues.pangaea.de. IN A ;; Query time: 18 msec ;; SERVER: 127.0.0.1#53(127.0.0.1) ;; WHEN: Mon Jan 04 15:43:42 CET 2016 ;; MSG SIZE rcvd: 46 The reason is: "issues.pangaea.de" is covered by a star domain "*.pangaea.de" that is correctly signed (tested from another server - not using dnsmasq): $ dig +dnssec *.pangaea.de ; <<>> DiG 9.8.1-P1 <<>> +dnssec '*.pangaea.de' ;; global options: +cmd ;; Got answer: ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 8436 ;; flags: qr rd ra; QUERY: 1, ANSWER: 2, AUTHORITY: 4, ADDITIONAL: 1 ;; OPT PSEUDOSECTION: ; EDNS: version: 0, flags: do; udp: 4096 ;; QUESTION SECTION: ;*.pangaea.de. IN A ;; ANSWER SECTION: *.pangaea.de. 28790 IN A 134.1.2.171 *.pangaea.de. 28790 IN RRSIG A 7 2 28800 20160109144508 20151226151023 12714 pangaea.de. jwQUt4OJRlBEE3PUF6cEWJA6gOLWPpBWYbJHLIkR4tdGJh/kmtOk7T9Q MlSbChj51bhkV6oCQ++OhrsogYJ9qFpcVz8kVlEEfs08/Z1kNBe/dg3m HaAiyVVwONdyfe6dSfcYR3ZrH1PBWuxHDdbO8zGI8xGThSuZiIi1WEFC L64= ;; AUTHORITY SECTION: pangaea.de. 28790 IN NS ns2.domaindiscount24.net. pangaea.de. 28790 IN NS ns3.domaindiscount24.net. pangaea.de. 28790 IN NS ns1.domaindiscount24.net. pangaea.de. 28790 IN RRSIG NS 7 2 28800 20160109071640 20151226151023 12714 pangaea.de. l7sVnSXwN21lXvsANvjVxGyeh3c3rxlmg3ctfAShdvZpS/otk7L/HN8p O3sSJ83HFfl7QAmfoF/P3cy2yilmykJv3von/ojzXVeS3tpTAUzfALql maoKds12FcjyLVJDgEzi0xKG/DTmm2KG1bZHzXPzMVb4beZnzFN5twLK W+g= ;; Query time: 0 msec ;; SERVER: 85.25.128.10#53(85.25.128.10) ;; WHEN: Mon Jan 4 14:42:43 2016 ;; MSG SIZE rcvd: 471 How should this be solved? This is another one where dnssec fails, so clearly a bug. There is a test page about exactly that case, which fails for me when resolving through dnsmasq: http://0skar.cz/dns/en/ Uwe - Uwe Schindler H.-H.-Meier-Allee 63, D-28213 Bremen http://www.thetaphi.de eMail: u...@thetaphi.de ___ Dnsmasq-discuss mailing list Dnsmasq-discuss@lists.thekelleys.org.uk http://lists.thekelleys.org.uk/mailman/listinfo/dnsmasq-discuss
