* Simon Kelley
> I just pushed
>
> http://thekelleys.org.uk/gitweb/?p=dnsmasq.git;a=commit;h=fef2f1c75eba56b7355cbe729e4362474d558aa4
>
> Which makes the following changes:
>
> 1) No longer fail to validate a reply proving that a DS record doesn't
> exist if RRs in the auth section other the th
On 29/08/2019 17:53, Tore Anderson wrote:
> Hi Simon,
>
>> Now, it's certainly possible to verify that the DS record doesn't exist
>> without relying on the data in the SOA record. BUT there is a problem:
>> having determined securely that the DS record doesn't exist, dnsmasq
>> caches that inform
Hi Simon,
> Now, it's certainly possible to verify that the DS record doesn't exist
> without relying on the data in the SOA record. BUT there is a problem:
> having determined securely that the DS record doesn't exist, dnsmasq
> caches that information, and it uses data from the SOA record to
> d
On 24/08/2019 18:47, Tore Anderson wrote:
> Some more information:
>
>> When the bug occurs, the error «Insecure DS reply received, do upstream DNS
>> servers support DNSSEC?» is logged.
>
> I think that the problem might be caused by this query in frames 7-8 of the
> PCAP:
>
> 7 0.00742
Some more information:
> When the bug occurs, the error «Insecure DS reply received, do upstream DNS
> servers support DNSSEC?» is logged.
I think that the problem might be caused by this query in frames 7-8 of the
PCAP:
7 0.007426 192.168.1.155 → 84.208.20.110 DNS 81 Standard query 0x56
Dnsmasq seems to have a bug where it will return an incorrect Bogus validation
verdict for domains that in reality are Insecure. The bug does not appear to
impact Secure domains, at least I have not observed that happening.
When the bug occurs, the error «Insecure DS reply received, do upstream