Re: [PATCH] DNS: Fall back to permissive mode if recursor mode is unavailable

[Michael Tremer <michael.tremer@ipfire.org>]

[-- Attachment #1: Type: text/plain, Size: 3390 bytes --]

Hey Paul,

I really don't want you to switch away from IPFire since there is no need to. We
will get this fixed.

And although this is a corner case I am willing to work on this. However I
cannot test.

So just to get me up to date again: Did you apply the changes from Core Update
110? Did that work or not?

-Michael

On Sat, 2017-03-25 at 10:20 -0500, Paul Simmons wrote:
> On Wed, 2017-03-08 at 10:19 -0600, Paul Simmons wrote:
> > On Wed, 2017-03-08 at 12:09 +0000, Michael Tremer wrote:
> > > 
> > > Hmm...
> > > 
> > > That's interesting that only AAAA records fail. No idea why the
> > > system is
> > > resolving those any ways, but hey...
> > > 
> > > So when you do
> > > 
> > >   dig @198.41.0.4 a.root-servers.net AAAA +dnssec
> > > 
> > > does that work?
> > > 
> > > What does
> > > 
> > >   dig @8.8.8.8 +sigchase +dnssec www.ipfire.org
> > > 
> > > do?
> > > 
> > > -Michael
> > > 
> > > ---->% massive snippage here %<----
> > 
> > Sorry for the delay. I have to chase everyone off the network and
> > reboot with another disk (development image) to test, then have to
> > reboot with Core105 and DNSSEC disabled to resume email :).
> > 
> > Here are the results:
> > 
> > # dig @198.41.0.4 a.root-servers.net AAAA +dnssec
> > 
> > ; <<>> DiG 9.11.0-P3 <<>> @198.41.0.4 a.root-servers.net AAAA +dnssec
> > ; (1 server found)
> > ;; global options: +cmd
> > ;; Got answer:
> > ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 65258
> > ;; flags: qr aa rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 0
> > ;; WARNING: Message has 23 extra bytes at end
> > 
> > ;; QUESTION SECTION:
> > ;a.root-servers.net.		IN	AAAA
> > 
> > ;; Query time: 1 msec
> > ;; SERVER: 198.41.0.4#53(198.41.0.4)
> > ;; WHEN: Wed Mar 08 09:56:11 CST 2017
> > ;; MSG SIZE  rcvd: 59
> > 
> > # dig @8.8.8.8 +sigchase +dnssec www.ipfire.org
> > ;; Warning: Message parser reports malformed message packet.
> > ;; NO ANSWERS: no more
> > We want to prove the non-existence of a type of rdata 1 or of the zone: 
> > ;; nothing in authority section : impossible to validate the non-existence :
> > FAILED
> > 
> > ;; Impossible to verify the Non-existence, the NSEC RRset can't be
> > validated: FAILED
> > 
> > Thank you,
> > Paul
> 
> Additional information:
> 
> On Core105, I have an override in /etc/sysconfig/dnsmasq:
> ENABLE_DNSSEC=0
> 
> If I remove this, DNS resolution outside of my private network fails.
> 
> I've had a long conversation with HughesNet Community Support (such as it is),
> to no avail.
> 
> Hughes has no plans to support DNSSEC in the near future, and there's no way
> to prevent the modem (HN9000) from caching / spoofing / mangling DNS traffic.
> 
> There are no other providers available - no DSL, no cable, no fiber, no
> wireless, no cellular, no anything. If I had the funds, I'd create my own NLOS
> WISP and make a tidy profit out here "in the sticks". Goodness knows, I'd like
> a reprieve from high cost, data caps, high latency, rain fade, and miserable
> throughput.
> 
> Please, is there any way to fall back to insecure DNS with IPFire's unbound
> configuration? I realize my situation is a "corner case", but I like IPFire,
> have a lot of time and effort invested, and am loath to switch to a different
> firewall.
> 
> Best regards,
> Paul

[-- Attachment #2: signature.asc --]
[-- Type: application/pgp-signature, Size: 819 bytes --]