[Dnssec-trigger] Non-functional dnsmasq bugs detection

Petr Menšík pemensik at redhat.com
Tue Oct 13 21:57:20 UTC 2020 

Hello DNSSEC users,

I maintain dnsmasq in Fedora, so I know about some of its bugs.
Today, I found issues on my provider connection. It uses some Ubiquity
device running dnsmasq inside. One device is dnsmasq-2.78-23-g9e09429,
second dnsmasq-2.79-1-2-geff17ee.

Both detect support for DNSSEC on the first try, but then randomly fail
here and there to validate some sites during usage.

I have found it has broken cache. When first query is made with
+nodnssec, second with +dnssec would get cached reply for the same name,
but without dnssec records. Unfortunately, it does not work for NULL
queries used now for nsec3.

cache 10.129.0.26: OK

$ HOST=_probe.cz && T=null && R=10.129.0.26 && dig -t $T $HOST @$R &&
dig +dnssec -t $T $HOST @$R
This command delivers always RRSIG, so resolver is detected DNSSEC
compatible.

$ HOST=_probe.cz && T=A && R=10.129.0.26 && dig -t $T $HOST @$R && dig
+dnssec -t $T $HOST @$R
This command however never gets RRSIG in second query on that broken device.

Because dnsmasq is quite common on cheap hardware at home, I think it
would be worth to detect its bugs and workaround.

I would propose doubling NSEC3 test, first without DO bit in request,
then the second with the same name and type with DO bit set. And change
PROBE_NSEC3_QTYPE to A or AAAA record.

What would you think about such change? I would prepare pull request,
once I find enough time. Was there specific reason to use NULL for NSEC3
probes?

-- 
Petr Menšík
Software Engineer
Red Hat, http://www.redhat.com/
email: pemensik at redhat.com
PGP: DFCF908DB7C87E8E529925BC4931CA5B6C9FC5CB
-------------- next part --------------

; <<>> DiG 9.16.7-RedHat-9.16.7-1.fc32 <<>> -t null _probe.uk.uk @10.129.0.26
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NXDOMAIN, id: 51796
;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 1, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 4096
;; QUESTION SECTION:
;_probe.uk.uk.			IN	NULL

;; AUTHORITY SECTION:
uk.			6148	IN	SOA	dns1.nic.uk. hostmaster.nic.uk. 1405078049 7200 900 2419200 10800

;; Query time: 4 msec
;; SERVER: 10.129.0.26#53(10.129.0.26)
;; WHEN: Út říj 13 23:53:25 CEST 2020
;; MSG SIZE  rcvd: 97


; <<>> DiG 9.16.7-RedHat-9.16.7-1.fc32 <<>> +dnssec -t null _probe.uk.uk @10.129.0.26
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NXDOMAIN, id: 15494
;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 8, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags: do; udp: 4096
;; QUESTION SECTION:
;_probe.uk.uk.			IN	NULL

;; AUTHORITY SECTION:
uk.			6148	IN	SOA	dns1.nic.uk. hostmaster.nic.uk. 1405078049 7200 900 2419200 10800
uk.			6148	IN	RRSIG	SOA 8 1 172800 20201027203538 20201013193538 43056 uk. M4u8RJKFRyUh065WQc1U2hbWA04PXGS4OypP96PVFbTOnINAlGmR1vxK gIMAz2MC3yHLaEX8UtoYrkeDU8FCf+inUzLuVacrfOZomPEJlTchBBnU fyDNcC/kzfFZGMNrvvH6tlnaUp98Ld9PEodNQ0/yD7k/GKk8B3o3F65L gr4=
4IHFUHVANMOM0AT1DVGL85Q0QFVS68SI.uk. 6148 IN RRSIG NSEC3 8 2 10800 20201027111238 20201013111129 43056 uk. Kcqhgn+e9NHZC4mrhbUtIsfSwtlMu4DSkrV/ILHHhQTXBXp7N8CLGtFW q8rozDI+YycdzprHb8fH2tUYJk94h74htfcvqKErh0v4Z1LbIcHGQzga aCn8ZV9QaJ7jGY1EN0J8S29CDkKS+gfOq+lG3ifrvx5N9PvZxo1GFIje YI0=
4IHFUHVANMOM0AT1DVGL85Q0QFVS68SI.uk. 6148 IN NSEC3 1 1 0 - 4IKIBI9LO1UKUABUHV47K50TSMQAMU0K NS DS RRSIG
U1FMKLFV3RDCNAMDC64SEKGCDP05BBIU.uk. 6148 IN RRSIG NSEC3 8 2 10800 20201027063841 20201013054806 43056 uk. zji7DXLjQNQqY/bUL/6rwxgzlG2Ahqny7rSXCJ1Fi5KDk8qhX1TFCwNq ydXcJrbKoPQ5zQwI04ujzDQbxjuHZDNp73mOgxWWnr4ZaIobsfSb8zbt Whyft0IoQXmiuw0OWdEDb3ADZFhOq7qECE8tDgQepduJw8nI8wUlh72V vb0=
U1FMKLFV3RDCNAMDC64SEKGCDP05BBIU.uk. 6148 IN NSEC3 1 1 0 - U1G6AVNC37MT4HAJ92ES0KP81JT1ILJN NS SOA RRSIG DNSKEY NSEC3PARAM TYPE65534
UJD9QFRDM1NCJLDLSGDIRKVK1CR9L2C3.uk. 6148 IN RRSIG NSEC3 8 2 10800 20201027060007 20201013052044 43056 uk. p+lygCYlWFmSRyjzj3R/FssqIU4zH5HyMVmk+xidjZpH5nOhzoSfSNDt NHackwMidcX+tBlE6p6eAlsjMZm5YSr++41NtYmye+N5Dj9PW4RhLcFU DpaiQE3e5SclgshW7S3Jzdcp/ZK7FhD4980HO2VmaljREa9MooGZaNUB BAA=
UJD9QFRDM1NCJLDLSGDIRKVK1CR9L2C3.uk. 6148 IN NSEC3 1 1 0 - UJGFK6HFPRBVG3JI9POESGJ14EKPJR4B NS DS RRSIG

;; Query time: 6 msec
;; SERVER: 10.129.0.26#53(10.129.0.26)
;; WHEN: Út říj 13 23:53:25 CEST 2020
;; MSG SIZE  rcvd: 1017

-------------- next part --------------

; <<>> DiG 9.16.7-RedHat-9.16.7-1.fc32 <<>> -t A _probe.uk.uk @10.129.0.26
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NXDOMAIN, id: 25765
;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 4096
;; QUESTION SECTION:
;_probe.uk.uk.			IN	A

;; Query time: 0 msec
;; SERVER: 10.129.0.26#53(10.129.0.26)
;; WHEN: Út říj 13 23:53:13 CEST 2020
;; MSG SIZE  rcvd: 41


; <<>> DiG 9.16.7-RedHat-9.16.7-1.fc32 <<>> +dnssec -t A _probe.uk.uk @10.129.0.26
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NXDOMAIN, id: 2211
;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags: do; udp: 4096
;; QUESTION SECTION:
;_probe.uk.uk.			IN	A

;; Query time: 0 msec
;; SERVER: 10.129.0.26#53(10.129.0.26)
;; WHEN: Út říj 13 23:53:13 CEST 2020
;; MSG SIZE  rcvd: 41

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 488 bytes
Desc: OpenPGP digital signature
URL: <http://lists.nlnetlabs.nl/pipermail/dnssec-trigger/attachments/20201013/9df7ae30/attachment.bin>

More information about the dnssec-trigger mailing list