Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

dnsmasq: cached dnssec responses fail validation #1362

Closed
mweinelt opened this issue Apr 10, 2018 · 6 comments
Closed

dnsmasq: cached dnssec responses fail validation #1362

mweinelt opened this issue Apr 10, 2018 · 6 comments
Labels
0. type: bug This is a bug
Milestone
2018.1

Comments

@mweinelt
Copy link
Contributor

I tried using the dnsmasq cache on the nextnode address today and my unbound, who is reconfigured to use that cache, fails to validate DNSSEC secured responses, that are pulled from the cache, and therefore makes some domains unusable.

Uncached responses otoh work just fine.
@christf
Copy link
Member

christf commented Apr 10, 2018

dnsmasq seems to not store the authenticity information in its cache by default. Could you try using --proxy-dnssec in the config file for dnsmasq?

@mweinelt
Copy link
Contributor Author

mweinelt commented Apr 10, 2018
edited
Loading

While the option is shown in the --help section DNSSEC support is only built-in in dnsmasq-full.

See the Makefile on OpenWrt Master: https://git.openwrt.org/?p=openwrt/openwrt.git;a=blob;f=package/network/services/dnsmasq/Makefile;h=b6502bf5d04ef8f48a99d9f2e1506942846fa9da;hb=refs/heads/master

But indeed this seems to be the issue:

The DNS subsystem provides a local DNS server for the network, with forwarding of all query types to upstream recursive DNS servers and caching of common record types (A, AAAA, CNAME and PTR, also DNSKEY and DS when DNSSEC is enabled).

otoh --dnssec and --proxy-dnssec seem to be two different things:

# dnsmasq --dnssec

dnsmasq: DNSSEC not available: set HAVE_DNSSEC in src/config.h

# dnsmasq --proxy-dnssec

dnsmasq: failed to create listening socket for port 53: Address in use

I can retry this later at home.

@christf
Copy link
Member

christf commented Apr 10, 2018

--dnssec is not needed for --proxy-dnssec because on the latter no validation happens.

you can run
ps www|grep dnsmasq
to find the instance that is run by the dnsmasq user. copy the command line, kill this very instance and run this dnsmasq command again with --proxy-dnssec option added on the cli. Then, please verify if dnssec caching works.

@rotanid rotanid added the 0. type: bug This is a bug label Apr 11, 2018
@mweinelt
Copy link
Contributor Author

mweinelt commented Apr 11, 2018
edited
Loading

Unfortunately --proxy-dnssec does not seem to resolve the issue.

Installating dnsmasq-full and enabling --dnssec works.

https://www.linuxlounge.net/~martin/ffda/dnsmasq.pcap
dnsmasq with --proxy-dnssec
2 queries, first is resolved and ok, second is cached and fails.

https://www.linuxlounge.net/~martin/ffda/dnsmasq-full.pcap
dnsmasq-full with --dnssec
3 queries, all fine.

@rotanid rotanid added this to the 2018.1 milestone Apr 11, 2018
@neocturne
Copy link
Member

"Fixed" in 543eb17.

@mweinelt
Copy link
Contributor Author

mweinelt commented Nov 4, 2018

Just because I was curious what it would take:
dnsmasq-full plus dependencies comes down to roughly 784 kB of additional disk space.

136.0K dnsmasq-full_2.80-1_mipsel_24kc.ipk
120.0K kmod-ipt-ipset_4.14.78-1_mipsel_24kc.ipk
16.0K kmod-nf-conntrack-netlink_4.14.78-1_mipsel_24kc.ipk
212.0K libgmp_6.1.2-1_mipsel_24kc.ipk
8.0K libmnl_1.0.4-1_mipsel_24kc.ipk
36.0K libnetfilter-conntrack_2017-07-25-e8704326-1_mipsel_24kc.ipk
244.0K libnettle_3.4-1_mipsel_24kc.ipk
12.0K libnfnetlink_1.0.1-1_mipsel_24kc.ipk
784.0K total

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
0. type: bug This is a bug
Projects
None yet
Milestone
2018.1
Development

No branches or pull requests
4 participants
@mweinelt @neocturne @rotanid @christf