Gluon: dnsmasq: cached dnssec responses fail validation

Created on 10 Apr 2018  路  6Comments  路  Source: freifunk-gluon/gluon

I tried using the dnsmasq cache on the nextnode address today and my unbound, who is reconfigured to use that cache, fails to validate DNSSEC secured responses, that are pulled from the cache, and therefore makes some domains unusable.

Uncached responses otoh work just fine.

bug
Source
picture mweinelt

All 6 comments

dnsmasq seems to not store the authenticity information in its cache by default. Could you try using --proxy-dnssec in the config file for dnsmasq?

christf picture christf on 10 Apr 2018

While the option is shown in the --help section DNSSEC support is only built-in in dnsmasq-full.

See the Makefile on OpenWrt Master: https://git.openwrt.org/?p=openwrt/openwrt.git;a=blob;f=package/network/services/dnsmasq/Makefile;h=b6502bf5d04ef8f48a99d9f2e1506942846fa9da;hb=refs/heads/master

But indeed this seems to be the issue:

The DNS subsystem provides a local DNS server for the network, with forwarding of all query types to upstream recursive DNS servers and caching of common record types (A, AAAA, CNAME and PTR, also DNSKEY and DS when DNSSEC is enabled).

otoh --dnssec and --proxy-dnssec seem to be two different things:

# dnsmasq --dnssec

dnsmasq: DNSSEC not available: set HAVE_DNSSEC in src/config.h

# dnsmasq --proxy-dnssec

dnsmasq: failed to create listening socket for port 53: Address in use

I can retry this later at home.

mweinelt picture mweinelt on 10 Apr 2018

--dnssec is not needed for --proxy-dnssec because on the latter no validation happens.

you can run
ps www|grep dnsmasq
to find the instance that is run by the dnsmasq user. copy the command line, kill this very instance and run this dnsmasq command again with --proxy-dnssec option added on the cli. Then, please verify if dnssec caching works.

christf picture christf on 10 Apr 2018

Unfortunately --proxy-dnssec does not seem to resolve the issue.

Installating dnsmasq-full and enabling --dnssec works.

https://www.linuxlounge.net/~martin/ffda/dnsmasq.pcap
dnsmasq with --proxy-dnssec
2 queries, first is resolved and ok, second is cached and fails.

https://www.linuxlounge.net/~martin/ffda/dnsmasq-full.pcap
dnsmasq-full with --dnssec
3 queries, all fine.

mweinelt picture mweinelt on 11 Apr 2018
😕2

"Fixed" in 543eb178824e8ed8a6f385fe1ebdf0d7ca709be3.

NeoRaider picture NeoRaider on 13 Apr 2018

Just because I was curious what it would take:
dnsmasq-full plus dependencies comes down to roughly 784 kB of additional disk space.

136.0K dnsmasq-full_2.80-1_mipsel_24kc.ipk
120.0K kmod-ipt-ipset_4.14.78-1_mipsel_24kc.ipk
16.0K kmod-nf-conntrack-netlink_4.14.78-1_mipsel_24kc.ipk
212.0K libgmp_6.1.2-1_mipsel_24kc.ipk
8.0K libmnl_1.0.4-1_mipsel_24kc.ipk
36.0K libnetfilter-conntrack_2017-07-25-e8704326-1_mipsel_24kc.ipk
244.0K libnettle_3.4-1_mipsel_24kc.ipk
12.0K libnfnetlink_1.0.1-1_mipsel_24kc.ipk
784.0K total
mweinelt picture mweinelt on 4 Nov 2018
Was this page helpful?
0 / 5 - 0 ratings

Related issues

RalfJung picture RalfJung  路  5Comments
lemoer picture lemoer  路  3Comments
Nurtic-Vibe picture Nurtic-Vibe  路  5Comments
kpanic23 picture kpanic23  路  5Comments
lcb01a picture lcb01a  路  3Comments