* [gentoo-dev] bugs.gentoo.org and dnssec
@ 2015-04-21 17:27 Alon Bar-Lev
2015-04-21 17:40 ` James Cloos
0 siblings, 1 reply; 3+ messages in thread
From: Alon Bar-Lev @ 2015-04-21 17:27 UTC (permalink / raw
To: gentoo-dev
Hi,
Not sure where the problem is... maybe others can reproduce this.
When using bugs.gentoo.org with dnsmasq and dnssec enabled, I cannot
access attachments.
The attachments are forwarded to a CNAME, for example:
---
546330.bugs.gentoo.org. 60 IN CNAME bugs-gossamer.gentoo.org.
bugs-gossamer.gentoo.org. 300 IN CNAME gannet.gentoo.org.
gannet.gentoo.org. 604800 IN A 204.187.15.4
---
When trying to access without dnssec all is ok:
---
Apr 21 20:19:04 [dnsmasq] query[A] 546330.bugs.gentoo.org from 127.0.0.1
Apr 21 20:19:04 [dnsmasq] forwarded 546330.bugs.gentoo.org to 192.168.1.1
Apr 21 20:19:04 [dnsmasq] validation result is INSECURE
Apr 21 20:19:04 [dnsmasq] reply 546330.bugs.gentoo.org is <CNAME>
Apr 21 20:19:04 [dnsmasq] reply bugs-gossamer.gentoo.org is <CNAME>
Apr 21 20:19:04 [dnsmasq] reply gannet.gentoo.org is 204.187.15.4
---
When trying to access with dnssec, notice the "validation result is
BOGUS", no result is returned:
---
Apr 21 20:09:33 [dnsmasq] query[A] 546330.bugs.gentoo.org from 127.0.0.1
Apr 21 20:09:33 [dnsmasq] forwarded 546330.bugs.gentoo.org to 10.38.5.26
Apr 21 20:09:33 [dnsmasq] dnssec-query[DNSKEY] gentoo.org to 10.38.5.26
Apr 21 20:09:33 [dnsmasq] dnssec-query[DS] gentoo.org to 10.38.5.26
Apr 21 20:09:33 [dnsmasq] dnssec-query[DNSKEY] org to 10.38.5.26
Apr 21 20:09:33 [dnsmasq] dnssec-query[DS] org to 10.38.5.26
Apr 21 20:09:33 [dnsmasq] dnssec-query[DNSKEY] . to 10.38.5.26
Apr 21 20:09:33 [dnsmasq] reply . is DNSKEY keytag 19036
Apr 21 20:09:33 [dnsmasq] reply . is DNSKEY keytag 48613
Apr 21 20:09:33 [dnsmasq] reply org is DS keytag 21366
- Last output repeated twice -
Apr 21 20:09:33 [dnsmasq] reply org is DNSKEY keytag 3213
Apr 21 20:09:33 [dnsmasq] reply org is DNSKEY keytag 21366
Apr 21 20:09:33 [dnsmasq] reply org is DNSKEY keytag 9795
Apr 21 20:09:33 [dnsmasq] reply org is DNSKEY keytag 34023
Apr 21 20:09:33 [dnsmasq] reply gentoo.org is DS keytag 46873
- Last output repeated twice -
Apr 21 20:09:33 [dnsmasq] reply gentoo.org is DNSKEY keytag 52980
Apr 21 20:09:33 [dnsmasq] reply gentoo.org is DNSKEY keytag 46873
Apr 21 20:09:33 [dnsmasq] validation result is BOGUS
Apr 21 20:09:33 [dnsmasq] reply 546330.bugs.gentoo.org is <CNAME>
Apr 21 20:09:33 [dnsmasq] reply bugs-gossamer.gentoo.org is <CNAME>
Apr 21 20:09:33 [dnsmasq] reply gannet.gentoo.org is 204.187.15.4
---
Maybe it is local issue of the dns I am using (I have no access to
it), but maybe there is a issue at infra.
Regards,
Alon Bar-Lev.
^ permalink raw reply [flat|nested] 3+ messages in thread
* Re: [gentoo-dev] bugs.gentoo.org and dnssec
2015-04-21 17:27 [gentoo-dev] bugs.gentoo.org and dnssec Alon Bar-Lev
@ 2015-04-21 17:40 ` James Cloos
2015-04-21 17:51 ` Alon Bar-Lev
0 siblings, 1 reply; 3+ messages in thread
From: James Cloos @ 2015-04-21 17:40 UTC (permalink / raw
To: Alon Bar-Lev; +Cc: gentoo-dev
>>>>> "AB" == Alon Bar-Lev <alonbl@gentoo.org> writes:
AB> When using bugs.gentoo.org with dnsmasq and dnssec enabled, I cannot
AB> access attachments.
It works here using a local unbound.
But dnsmasq had some growth pains when it added dnssec verification, due
to its bottom-up rather than the ususal top-down approach.
AIUI, the current release should work.
If you see that issue with 2.72 or later, they'd like to hear about it.
Their list is: dnsmasq-discuss@lists.thekelleys.org.uk
-JimC
--
James Cloos <cloos@jhcloos.com> OpenPGP: 0x997A9F17ED7DAEA6
^ permalink raw reply [flat|nested] 3+ messages in thread
* Re: [gentoo-dev] bugs.gentoo.org and dnssec
2015-04-21 17:40 ` James Cloos
@ 2015-04-21 17:51 ` Alon Bar-Lev
0 siblings, 0 replies; 3+ messages in thread
From: Alon Bar-Lev @ 2015-04-21 17:51 UTC (permalink / raw
To: gentoo-dev
On 21 April 2015 at 20:40, James Cloos <cloos@jhcloos.com> wrote:
>>>>>> "AB" == Alon Bar-Lev <alonbl@gentoo.org> writes:
>
> AB> When using bugs.gentoo.org with dnsmasq and dnssec enabled, I cannot
> AB> access attachments.
>
> It works here using a local unbound.
>
> But dnsmasq had some growth pains when it added dnssec verification, due
> to its bottom-up rather than the ususal top-down approach.
>
> AIUI, the current release should work.
>
> If you see that issue with 2.72 or later, they'd like to hear about it.
>
> Their list is: dnsmasq-discuss@lists.thekelleys.org.uk
>
Thanks!
I suspected that.
Yes, I am using 2.72, I will send message.
^ permalink raw reply [flat|nested] 3+ messages in thread
end of thread, other threads:[~2015-04-21 17:52 UTC | newest]
Thread overview: 3+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2015-04-21 17:27 [gentoo-dev] bugs.gentoo.org and dnssec Alon Bar-Lev
2015-04-21 17:40 ` James Cloos
2015-04-21 17:51 ` Alon Bar-Lev
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox