dnsmasq не проверяет dnssec

Question 1

Я нахожусь на Ubuntu 14.04.2 LTS. NetworkManager запускает dnsmasq с параметром --proxy-dnssec. Однако:

$ dig @127.0.1.1 dnssec-failed.org
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 62850
...
dnssec-failed.org.  5573    IN  A   69.252.80.75
...

Есть идеи, почему это происходит?

Thx

Question 2

Вы читали man dnsmasq? Частично:

   --proxy-dnssec
          A  resolver  on a client machine can do DNSSEC validation in two
          ways: it can perform the cryptograhic operations on the reply it
          receives, or it can rely on the upstream recursive nameserver to
          do the validation and set a bit in the  reply  if  it  succeeds.
          Dnsmasq  is  not  a  DNSSEC  validator, so it cannot perform the
          validation role of the recursive nameserver,  but  it  can  pass
          through   the   validation   results   from   its  own  upstream
          nameservers. This option enables this behaviour. You should only
          do this if you trust all the configured upstream nameservers and
          the network between you and them.  If you use the  first  DNSSEC
          mode,  validating  resolvers  in  clients,  this  option  is not
          required. Dnsmasq always returns  all  the  data  needed  for  a
          client to do validation itself.

, Таким образом, это похоже, Ваши восходящие сопоставители не передают результат проверки.

В моей системе (YMMV):

w3@aardvark:~(0)$ dig @127.0.1.1 dnssec-failed.org

; <<>> DiG 9.9.5-3ubuntu0.8-Ubuntu <<>> @127.0.1.1 dnssec-failed.org
; (1 server found)
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: SERVFAIL, id: 55446
;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 4096
;; QUESTION SECTION:
;dnssec-failed.org.     IN  A

;; Query time: 871 msec
;; SERVER: 127.0.1.1#53(127.0.1.1)
;; WHEN: Thu Apr 28 18:17:59 EDT 2016
;; MSG SIZE  rcvd: 46

w3@aardvark:~(0)$ dpkg -l dnsmasq\*
Desired=Unknown/Install/Remove/Purge/Hold
| Status=Not/Inst/Conf-files/Unpacked/halF-conf/Half-inst/trig-aWait/Trig-pend
|/ Err?=(none)/Reinst-required (Status,Err: uppercase=bad)
||/ Name                                 Version                 Architecture            Description
+++-====================================-=======================-=======================-=============================================================================
un  dnsmasq                              <none>                  <none>                  (no description available)
ii  dnsmasq-base                         2.68-1ubuntu0.1         amd64                   Small caching DNS proxy and DHCP/TFTP server
w3@aardvark:~(0)$

waltinator · Answer 1 · 29 April 2016 в 04:23

Вы читали man dnsmasq? Частично:

   --proxy-dnssec
          A  resolver  on a client machine can do DNSSEC validation in two
          ways: it can perform the cryptograhic operations on the reply it
          receives, or it can rely on the upstream recursive nameserver to
          do the validation and set a bit in the  reply  if  it  succeeds.
          Dnsmasq  is  not  a  DNSSEC  validator, so it cannot perform the
          validation role of the recursive nameserver,  but  it  can  pass
          through   the   validation   results   from   its  own  upstream
          nameservers. This option enables this behaviour. You should only
          do this if you trust all the configured upstream nameservers and
          the network between you and them.  If you use the  first  DNSSEC
          mode,  validating  resolvers  in  clients,  this  option  is not
          required. Dnsmasq always returns  all  the  data  needed  for  a
          client to do validation itself.

, Таким образом, это похоже, Ваши восходящие сопоставители не передают результат проверки.

В моей системе (YMMV):

w3@aardvark:~(0)$ dig @127.0.1.1 dnssec-failed.org

; <<>> DiG 9.9.5-3ubuntu0.8-Ubuntu <<>> @127.0.1.1 dnssec-failed.org
; (1 server found)
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: SERVFAIL, id: 55446
;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 4096
;; QUESTION SECTION:
;dnssec-failed.org.     IN  A

;; Query time: 871 msec
;; SERVER: 127.0.1.1#53(127.0.1.1)
;; WHEN: Thu Apr 28 18:17:59 EDT 2016
;; MSG SIZE  rcvd: 46

w3@aardvark:~(0)$ dpkg -l dnsmasq\*
Desired=Unknown/Install/Remove/Purge/Hold
| Status=Not/Inst/Conf-files/Unpacked/halF-conf/Half-inst/trig-aWait/Trig-pend
|/ Err?=(none)/Reinst-required (Status,Err: uppercase=bad)
||/ Name                                 Version                 Architecture            Description
+++-====================================-=======================-=======================-=============================================================================
un  dnsmasq                              <none>                  <none>                  (no description available)
ii  dnsmasq-base                         2.68-1ubuntu0.1         amd64                   Small caching DNS proxy and DHCP/TFTP server
w3@aardvark:~(0)$

You' право ре, хотя tracker все еще доступно (см. здесь ), it' s просто GUI они удалили. — dessert, 31 October 2017 в 06:38

dnsmasq не проверяет dnssec

1 ответ

Другие вопросы по тегам:

Похожие вопросы: