Modify

Opened 3 years ago

Closed 3 years ago

#18136 closed defect (wontfix)

DNSSEC on dnsmasq fails with DS digest type 1

Reported by: sige.bo@… Owned by: developers
Priority: normal Milestone:
Component: base system Version: Barrier Breaker 14.07
Keywords: Cc:

Description

I'm not sure if I should push this problem upstream to the dnsmasq tracker, but I guess since it's a package here, I'll keep it here.

I want to enable the DNSSEC validating resolver with dnsmasq-full.
Things like debian.org, posteo.de and all those work without any problem or fault.
But my own domain, stripeyc.at and the domain nightfox-arts.com do not work, log says validation results are BOGUS

example
Wed Oct 15 23:44:19 2014 daemon.info dnsmasq[7620]: dnssec-query[DNSKEY] stripeyc.at to 85.214.20.141
Wed Oct 15 23:44:19 2014 daemon.info dnsmasq[7620]: dnssec-query[DS] stripeyc.at to 85.214.20.141
Wed Oct 15 23:44:19 2014 daemon.info dnsmasq[7620]: dnssec-query[DNSKEY] at to 85.214.20.141
Wed Oct 15 23:44:19 2014 daemon.info dnsmasq[7620]: dnssec-query[DS] at to 85.214.20.141
Wed Oct 15 23:44:19 2014 daemon.info dnsmasq[7620]: reply at is DS keytag 60836
Wed Oct 15 23:44:19 2014 daemon.info dnsmasq[7620]: reply at is DS keytag 56489
Wed Oct 15 23:44:19 2014 daemon.info dnsmasq[7620]: reply at is DNSKEY keytag 29940
Wed Oct 15 23:44:19 2014 daemon.info dnsmasq[7620]: reply at is DNSKEY keytag 7909
Wed Oct 15 23:44:19 2014 daemon.info dnsmasq[7620]: reply at is DNSKEY keytag 60836
Wed Oct 15 23:44:19 2014 daemon.info dnsmasq[7620]: reply at is DNSKEY keytag 56489
Wed Oct 15 23:44:19 2014 daemon.info dnsmasq[7620]: reply stripeyc.at is DS keytag 55690
Wed Oct 15 23:44:19 2014 daemon.info dnsmasq[7620]: reply stripeyc.at is DS keytag 55690
Wed Oct 15 23:44:19 2014 daemon.info dnsmasq[7620]: reply stripeyc.at is BOGUS DNSKEY
Wed Oct 15 23:44:19 2014 daemon.info dnsmasq[7620]: validation result is BOGUS

Yet http://dnsviz.net/d/stripeyc.at/dnssec and the verisign tool http://dnssec-debugger.verisignlabs.com/stripeyc.at aren't showing any errors at all!

The only thing I notices is that those two sites are having a DS record with SHA-1 digest (type 1) upstream in the .com and .at zone
(Though my domain has type 1 and 2; SHA-1 and SHA-256, still fails)
Sadly deleting the Type 1 DS entry upstream requires some support from my registrar, otherwise I'd just have removed the 1 entry to test.
I might do it down the road eventually, if requested, but won't bring it up again. Just saying....

Maybe someone else can test, maybe there is something wrong in a bundled lib in openWRT or I'll have to send it upstream.

Attachments (0)

Change History (1)

comment:1 Changed 3 years ago by cyrus

  • Resolution set to wontfix
  • Status changed from new to closed

Please take it upstream. I don't think we can help out much here.

Add Comment

Modify Ticket

Action
as closed .
The resolution will be deleted. Next status will be 'reopened'.
Author


E-mail address and user name can be saved in the Preferences.

 
Note: See TracTickets for help on using tickets.