M HYPE SPLASH
// news

dnsmasq doesn't check dnssec

By Emma Valentine

I'm on Ubuntu 14.04.2 LTS. NetworkManager starts dnsmasq with --proxy-dnssec option. However:

$ dig @127.0.1.1 dnssec-failed.org
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 62850
...
dnssec-failed.org. 5573 IN A 69.252.80.75
...

Any idea why this is happen?

Thx

1 Answer

Did you read man dnsmasq? In part: 

 --proxy-dnssec A resolver on a client machine can do DNSSEC validation in two ways: it can perform the cryptograhic operations on the reply it receives, or it can rely on the upstream recursive nameserver to do the validation and set a bit in the reply if it succeeds. Dnsmasq is not a DNSSEC validator, so it cannot perform the validation role of the recursive nameserver, but it can pass through the validation results from its own upstream nameservers. This option enables this behaviour. You should only do this if you trust all the configured upstream nameservers and the network between you and them. If you use the first DNSSEC mode, validating resolvers in clients, this option is not required. Dnsmasq always returns all the data needed for a client to do validation itself.

So it looks like your upstream resolvers aren't passing the validation result.

On my system (YMMV): 

w3@aardvark:~(0)$ dig @127.0.1.1 dnssec-failed.org
; <<>> DiG 9.9.5-3ubuntu0.8-Ubuntu <<>> @127.0.1.1 dnssec-failed.org
; (1 server found)
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: SERVFAIL, id: 55446
;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 1
;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 4096
;; QUESTION SECTION:
;dnssec-failed.org. IN A
;; Query time: 871 msec
;; SERVER: 127.0.1.1#53(127.0.1.1)
;; WHEN: Thu Apr 28 18:17:59 EDT 2016
;; MSG SIZE rcvd: 46
w3@aardvark:~(0)$ dpkg -l dnsmasq\*
Desired=Unknown/Install/Remove/Purge/Hold
| Status=Not/Inst/Conf-files/Unpacked/halF-conf/Half-inst/trig-aWait/Trig-pend
|/ Err?=(none)/Reinst-required (Status,Err: uppercase=bad)
||/ Name Version Architecture Description
+++-====================================-=======================-=======================-=============================================================================
un dnsmasq <none> <none> (no description available)
ii dnsmasq-base 2.68-1ubuntu0.1 amd64 Small caching DNS proxy and DHCP/TFTP server
w3@aardvark:~(0)$
1

Your Answer

Sign up or log in

Sign up using Google Sign up using Facebook Sign up using Email and Password

Post as a guest

By clicking “Post Your Answer”, you agree to our terms of service, privacy policy and cookie policy

More in news

How to Test Website from Different Countries?

Reeling Backward: The Rainmaker (1956)