From mboxrd@z Thu Jan 1 00:00:00 1970 From: Michael Tremer To: development@lists.ipfire.org Subject: Re: [PATCH] DNS: Fall back to permissive mode if recursor mode is unavailable Date: Thu, 30 Mar 2017 17:51:20 +0100 Message-ID: <1490892680.2643.70.camel@ipfire.org> In-Reply-To: <1490455220.20288.4.camel@hughes.net> MIME-Version: 1.0 Content-Type: multipart/mixed; boundary="===============2977950128251093406==" List-Id: --===============2977950128251093406== Content-Type: text/plain; charset="utf-8" Content-Transfer-Encoding: quoted-printable Hey Paul, I really don't want you to switch away from IPFire since there is no need to.= We will get this fixed. And although this is a corner case I am willing to work on this. However I cannot test. So just to get me up to date again: Did you apply the changes from Core Update 110? Did that work or not? -Michael On Sat, 2017-03-25 at 10:20 -0500, Paul Simmons wrote: > On Wed, 2017-03-08 at 10:19 -0600, Paul Simmons wrote: > > On Wed, 2017-03-08 at 12:09 +0000, Michael Tremer wrote: > > >=20 > > > Hmm... > > >=20 > > > That's interesting that only AAAA records fail. No idea why the > > > system is > > > resolving those any ways, but hey... > > >=20 > > > So when you do > > >=20 > > > =C2=A0 dig @198.41.0.4 a.root-servers.net AAAA +dnssec > > >=20 > > > does that work? > > >=20 > > > What does > > >=20 > > > =C2=A0 dig @8.8.8.8 +sigchase +dnssec www.ipfire.org > > >=20 > > > do? > > >=20 > > > -Michael > > >=20 > > > ---->% massive snippage here %<---- > >=20 > > Sorry for the delay. I have to chase everyone off the network and > > reboot with another disk (development image) to test, then have to > > reboot with Core105 and DNSSEC disabled to resume email :). > >=20 > > Here are the results: > >=20 > > # dig @198.41.0.4 a.root-servers.net AAAA +dnssec > >=20 > > ; <<>> DiG 9.11.0-P3 <<>> @198.41.0.4 a.root-servers.net AAAA +dnssec > > ; (1 server found) > > ;; global options: +cmd > > ;; Got answer: > > ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 65258 > > ;; flags: qr aa rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 0 > > ;; WARNING: Message has 23 extra bytes at end > >=20 > > ;; QUESTION SECTION: > > ;a.root-servers.net. IN AAAA > >=20 > > ;; Query time: 1 msec > > ;; SERVER: 198.41.0.4#53(198.41.0.4) > > ;; WHEN: Wed Mar 08 09:56:11 CST 2017 > > ;; MSG SIZE=C2=A0=C2=A0rcvd: 59 > >=20 > > # dig @8.8.8.8 +sigchase +dnssec www.ipfire.org > > ;; Warning: Message parser reports malformed message packet. > > ;; NO ANSWERS: no more > > We want to prove the non-existence of a type of rdata 1 or of the zone:= =C2=A0 > > ;; nothing in authority section : impossible to validate the non-existenc= e : > > FAILED > >=20 > > ;; Impossible to verify the Non-existence, the NSEC RRset can't be > > validated: FAILED > >=20 > > Thank you, > > Paul >=20 > Additional information: >=20 > On Core105, I have an override in /etc/sysconfig/dnsmasq: > ENABLE_DNSSEC=3D0 >=20 > If I remove this, DNS resolution outside of my private network fails. >=20 > I've had a long conversation with HughesNet Community Support (such as it i= s), > to no avail. >=20 > Hughes has no plans to support DNSSEC in the near future, and there's no way > to prevent the modem (HN9000) from caching / spoofing / mangling DNS traffi= c. >=20 > There are no other providers available - no DSL, no cable, no fiber, no > wireless, no cellular, no anything. If I had the funds, I'd create my own N= LOS > WISP and make a tidy profit out here "in the sticks". Goodness knows, I'd l= ike > a reprieve from high cost, data caps, high latency, rain fade, and miserable > throughput. >=20 > Please, is there any way to fall back to insecure DNS with IPFire's unbound > configuration? I realize my situation is a "corner case", but I like IPFire, > have a lot of time and effort invested, and am loath to switch to a differe= nt > firewall. >=20 > Best regards, > Paul --===============2977950128251093406== Content-Type: application/pgp-signature Content-Transfer-Encoding: base64 Content-Disposition: attachment; filename="signature.asc" MIME-Version: 1.0 LS0tLS1CRUdJTiBQR1AgU0lHTkFUVVJFLS0tLS0KVmVyc2lvbjogR251UEcgdjIKCmlRSWNCQUFC Q2dBR0JRSlkzVGVJQUFvSkVJQjU4UDl2a0FrSE5kOFAvMGs4WlRzQVp5WmROcmM4QkExYS9Sb2cK TmhQZU0xT0ZsNU5FRjFCWWpNcXNYWS9KZXZIYTF2bU15K1pqa3Z6L0hkUUpmSlJoMk9zRGMxanc4 WkRTWVk0dApXMWhId2R6TE9nVmdjUThNUXUxdkp0U0xBOTlYUFFlNVBPR0RiSkhLWkZ1S0REcHpV TGIzbVlucE0wYXdEY3RFCkw4NDRqZ1NvSFNrMmVXY0U1RmNJRnJKWGhsL0JZY1N1OUxDRVBDaXp6 NWZXOEZ3R1Y3dWR5MEVBaHFBRmlCcUsKY1hSVUtGWlErd25FOXBvd3RHbmh6MFlyM0IrU1FEd29Y cVNJeEwyMjF5SGdZREl5aVVlczlBeTVqaGM1QjVPeApNMi9zQWpDSFFFV3J6S2hPVUtYT09SdDVr ZTZ5dkg1TFNmVGp5dnFKcGlKWVFnbWJYWlIweXFKY3ZGOERGUm4rCko4ZzdSZTg2NnYvVnJ4eVBZ Z1FEcWFOVnZ2ZG5nelpjU0VhOUVUSlljVXZGS2k0MmpjMFZyTTVqcEUyeXA4VkMKUmZXUmZXdHlO bmlCM09FODFPTXQzNEozWHViWHgwWERXbUp0eG5MS1BFR08yVFhEQTdQL0RpUmJiZCtwVkVjSgpH OWJ4TUVzQWhvaC9hdHpDZEhpZC83c05zY2lrVUNXeko4a1BEb0VySWtsSFBKdktYU09NTWlsZUtZ S0NKSVJWCkgwRU9qZzZRaUQ3aEYvZS9HVloxR0MwTGV1Vy92bmdlVzErUXVMSVlOTDBJZDgzQjRO b0s5eUFCY05oamwzQ2oKYUJRV3M0TVcyd2VsMWMvUUhFWHlTSnhEa0hJVE9IK0xhYWE3alp1U20v cWJxY2dqb3pRR2ZnckRQVnd5eS9MNAp6N2grT1F5aXg3UG1nZnRSRUdEVQo9Q2dJdAotLS0tLUVO RCBQR1AgU0lHTkFUVVJFLS0tLS0K --===============2977950128251093406==--