Re: [Dnsmasq-discuss] Insecure DS reply received, do upstream DNS servers support DNSSEC?

2019-08-30 Thread Tore Anderson
* Simon Kelley > I just pushed > > http://thekelleys.org.uk/gitweb/?p=dnsmasq.git;a=commit;h=fef2f1c75eba56b7355cbe729e4362474d558aa4 > > Which makes the following changes: > > 1) No longer fail to validate a reply proving that a DS record doesn't > exist if RRs in the auth section other the th

Re: [Dnsmasq-discuss] Insecure DS reply received, do upstream DNS servers support DNSSEC?

2019-08-29 Thread Simon Kelley
On 29/08/2019 17:53, Tore Anderson wrote: > Hi Simon, > >> Now, it's certainly possible to verify that the DS record doesn't exist >> without relying on the data in the SOA record. BUT there is a problem: >> having determined securely that the DS record doesn't exist, dnsmasq >> caches that inform

Re: [Dnsmasq-discuss] Insecure DS reply received, do upstream DNS servers support DNSSEC?

2019-08-29 Thread Tore Anderson
Hi Simon, > Now, it's certainly possible to verify that the DS record doesn't exist > without relying on the data in the SOA record. BUT there is a problem: > having determined securely that the DS record doesn't exist, dnsmasq > caches that information, and it uses data from the SOA record to > d

Re: [Dnsmasq-discuss] Insecure DS reply received, do upstream DNS servers support DNSSEC?

2019-08-28 Thread Simon Kelley
On 24/08/2019 18:47, Tore Anderson wrote: > Some more information: > >> When the bug occurs, the error «Insecure DS reply received, do upstream DNS >> servers support DNSSEC?» is logged. > > I think that the problem might be caused by this query in frames 7-8 of the > PCAP: > > 7 0.00742

Re: [Dnsmasq-discuss] Insecure DS reply received, do upstream DNS servers support DNSSEC?

2019-08-24 Thread Tore Anderson
Some more information: > When the bug occurs, the error «Insecure DS reply received, do upstream DNS > servers support DNSSEC?» is logged. I think that the problem might be caused by this query in frames 7-8 of the PCAP: 7 0.007426 192.168.1.155 → 84.208.20.110 DNS 81 Standard query 0x56

[Dnsmasq-discuss] Insecure DS reply received, do upstream DNS servers support DNSSEC?

2019-08-24 Thread Tore Anderson
Dnsmasq seems to have a bug where it will return an incorrect Bogus validation verdict for domains that in reality are Insecure. The bug does not appear to impact Secure domains, at least I have not observed that happening. When the bug occurs, the error «Insecure DS reply received, do upstream