[Bug 995332] Re: Please enhance NetworkManager such that DNSSEC validation is done whenever possible
On Wily, I edited /etc/dnsmasq.d/network-manager and added the following lines: # DNSSEC setup dnssec trust-anchor=.,19036,8,2,49AAC11D7B6F6446702E54A1607371607A1A41855200FD2CE1CDDE32F24E8FB5 dnssec-check-unsigned I then restarted network-manager and tried to connect to http://www.dnssec-failed.org/. As expected, the site does not load (it is deliberately configured to fail DNSSEC validation). But when reloading the page multiple-time, it is sometime displayed! I don't understand why. -- You received this bug notification because you are a member of Ubuntu Server Team, which is subscribed to dnsmasq in Ubuntu. https://bugs.launchpad.net/bugs/995332 Title: Please enhance NetworkManager such that DNSSEC validation is done whenever possible To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/dnsmasq/+bug/995332/+subscriptions -- Ubuntu-server-bugs mailing list Ubuntu-server-bugs@lists.ubuntu.com Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/ubuntu-server-bugs
[Bug 995332] Re: Please enhance NetworkManager such that DNSSEC validation is done whenever possible
For some reason, subsequent DNS queries do not always bring the same result here with the above configuration: First queries after a reboot return what's expected: nicolas@nicolas-desktop:~ 0 $ dig www.dnssec-failed.org ; <<>> DiG 9.9.5-11ubuntu1.1-Ubuntu <<>> www.dnssec-failed.org ;; global options: +cmd ;; Got answer: ;; ->>HEADER<<- opcode: QUERY, status: SERVFAIL, id: 32530 ;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 1 ;; OPT PSEUDOSECTION: ; EDNS: version: 0, flags:; udp: 4096 ;; QUESTION SECTION: ;www.dnssec-failed.org. IN A ;; Query time: 127 msec ;; SERVER: 127.0.1.1#53(127.0.1.1) ;; WHEN: Sat Jan 02 13:11:49 CET 2016 ;; MSG SIZE rcvd: 50 And then, suddenly: nicolas@nicolas-desktop:~ 0 $ dig www.dnssec-failed.org ; <<>> DiG 9.9.5-11ubuntu1.1-Ubuntu <<>> www.dnssec-failed.org ;; global options: +cmd ;; Got answer: ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 21156 ;; flags: qr rd ra; QUERY: 1, ANSWER: 2, AUTHORITY: 0, ADDITIONAL: 1 ;; OPT PSEUDOSECTION: ; EDNS: version: 0, flags:; udp: 4096 ;; QUESTION SECTION: ;www.dnssec-failed.org. IN A ;; ANSWER SECTION: www.dnssec-failed.org. 3407IN A 69.252.193.191 www.dnssec-failed.org. 3407IN A 68.87.109.242 ;; Query time: 12 msec ;; SERVER: 127.0.1.1#53(127.0.1.1) ;; WHEN: Sat Jan 02 13:11:50 CET 2016 ;; MSG SIZE rcvd: 82 Do someone have an idea of what is going on? -- You received this bug notification because you are a member of Ubuntu Server Team, which is subscribed to dnsmasq in Ubuntu. https://bugs.launchpad.net/bugs/995332 Title: Please enhance NetworkManager such that DNSSEC validation is done whenever possible To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/dnsmasq/+bug/995332/+subscriptions -- Ubuntu-server-bugs mailing list Ubuntu-server-bugs@lists.ubuntu.com Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/ubuntu-server-bugs
[Bug 995332] Re: Please enhance NetworkManager such that DNSSEC validation is done whenever possible
Does anyone have instructions for how to configure this by hand on a desktop Ubuntu vivid or wily installation? -- You received this bug notification because you are a member of Ubuntu Server Team, which is subscribed to dnsmasq in Ubuntu. https://bugs.launchpad.net/bugs/995332 Title: Please enhance NetworkManager such that DNSSEC validation is done whenever possible To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/dnsmasq/+bug/995332/+subscriptions -- Ubuntu-server-bugs mailing list Ubuntu-server-bugs@lists.ubuntu.com Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/ubuntu-server-bugs
[Bug 995332] Re: Please enhance NetworkManager such that DNSSEC validation is done whenever possible
Do NOT use DNSSEC-proxy function of Dnsmasq. The validation is done on a resolver in the internet. Any attacker can use a Man-In-The-Middle attack between the DNSSEC-resolver in the internet and Dnsmasq to manipulate the DNSSEC data. Proxying the DO-/AD-bit lulls the user into a FALSE sense of security. DNSSEC-proxying is highly INSECURE! -- You received this bug notification because you are a member of Ubuntu Server Team, which is subscribed to dnsmasq in Ubuntu. https://bugs.launchpad.net/bugs/995332 Title: Please enhance NetworkManager such that DNSSEC validation is done whenever possible To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/dnsmasq/+bug/995332/+subscriptions -- Ubuntu-server-bugs mailing list Ubuntu-server-bugs@lists.ubuntu.com Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/ubuntu-server-bugs
[Bug 995332] Re: Please enhance NetworkManager such that DNSSEC validation is done whenever possible
Dnsmasq supports validating DNSSEC since version 2.69, Bugs have been fixed since version 2.71. Please update Ubuntu packages to 2.71 and compile with DNSSEC support (see http://www.thekelleys.org.uk/dnsmasq/CHANGELOG)! -- You received this bug notification because you are a member of Ubuntu Server Team, which is subscribed to dnsmasq in Ubuntu. https://bugs.launchpad.net/bugs/995332 Title: Please enhance NetworkManager such that DNSSEC validation is done whenever possible To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/dnsmasq/+bug/995332/+subscriptions -- Ubuntu-server-bugs mailing list Ubuntu-server-bugs@lists.ubuntu.com Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/ubuntu-server-bugs