From: Paul Simmons <redneckmother@hughes.net>
To: development@lists.ipfire.org
Subject: Re: [PATCH] DNS: Fall back to permissive mode if recursor mode is unavailable
Date: Thu, 30 Mar 2017 13:21:03 -0500 [thread overview]
Message-ID: <1490898063.2753.3.camel@hughes.net> (raw)
In-Reply-To: <1490892680.2643.70.camel@ipfire.org>
[-- Attachment #1: Type: text/plain, Size: 3917 bytes --]
On Thu, 2017-03-30 at 17:51 +0100, Michael Tremer wrote:
> Hey Paul,
>
> I really don't want you to switch away from IPFire since there is no
> need to. We
> will get this fixed.
>
> And although this is a corner case I am willing to work on this.
> However I
> cannot test.
>
> So just to get me up to date again: Did you apply the changes from
> Core Update
> 110? Did that work or not?
>
> -Michael
>
> On Sat, 2017-03-25 at 10:20 -0500, Paul Simmons wrote:
> > On Wed, 2017-03-08 at 10:19 -0600, Paul Simmons wrote:
> > > On Wed, 2017-03-08 at 12:09 +0000, Michael Tremer wrote:
> > > >
> > > > Hmm...
> > > >
> > > > That's interesting that only AAAA records fail. No idea why the
> > > > system is
> > > > resolving those any ways, but hey...
> > > >
> > > > So when you do
> > > >
> > > > dig @198.41.0.4 a.root-servers.net AAAA +dnssec
> > > >
> > > > does that work?
> > > >
> > > > What does
> > > >
> > > > dig @8.8.8.8 +sigchase +dnssec www.ipfire.org
> > > >
> > > > do?
> > > >
> > > > -Michael
> > > >
> > > > ---->% massive snippage here %<----
> > >
> > > Sorry for the delay. I have to chase everyone off the network and
> > > reboot with another disk (development image) to test, then have
> > > to
> > > reboot with Core105 and DNSSEC disabled to resume email :).
> > >
> > > Here are the results:
> > >
> > > # dig @198.41.0.4 a.root-servers.net AAAA +dnssec
> > >
> > > ; <<>> DiG 9.11.0-P3 <<>> @198.41.0.4 a.root-servers.net AAAA
> > > +dnssec
> > > ; (1 server found)
> > > ;; global options: +cmd
> > > ;; Got answer:
> > > ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 65258
> > > ;; flags: qr aa rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 0,
> > > ADDITIONAL: 0
> > > ;; WARNING: Message has 23 extra bytes at end
> > >
> > > ;; QUESTION SECTION:
> > > ;a.root-servers.net. IN AAAA
> > >
> > > ;; Query time: 1 msec
> > > ;; SERVER: 198.41.0.4#53(198.41.0.4)
> > > ;; WHEN: Wed Mar 08 09:56:11 CST 2017
> > > ;; MSG SIZE rcvd: 59
> > >
> > > # dig @8.8.8.8 +sigchase +dnssec www.ipfire.org
> > > ;; Warning: Message parser reports malformed message packet.
> > > ;; NO ANSWERS: no more
> > > We want to prove the non-existence of a type of rdata 1 or of the
> > > zone:
> > > ;; nothing in authority section : impossible to validate the non-
> > > existence :
> > > FAILED
> > >
> > > ;; Impossible to verify the Non-existence, the NSEC RRset can't
> > > be
> > > validated: FAILED
> > >
> > > Thank you,
> > > Paul
> >
> > Additional information:
> >
> > On Core105, I have an override in /etc/sysconfig/dnsmasq:
> > ENABLE_DNSSEC=0
> >
> > If I remove this, DNS resolution outside of my private network
> > fails.
> >
> > I've had a long conversation with HughesNet Community Support (such
> > as it is),
> > to no avail.
> >
> > Hughes has no plans to support DNSSEC in the near future, and
> > there's no way
> > to prevent the modem (HN9000) from caching / spoofing / mangling
> > DNS traffic.
> >
> > There are no other providers available - no DSL, no cable, no
> > fiber, no
> > wireless, no cellular, no anything. If I had the funds, I'd create
> > my own NLOS
> > WISP and make a tidy profit out here "in the sticks". Goodness
> > knows, I'd like
> > a reprieve from high cost, data caps, high latency, rain fade, and
> > miserable
> > throughput.
> >
> > Please, is there any way to fall back to insecure DNS with IPFire's
> > unbound
> > configuration? I realize my situation is a "corner case", but I
> > like IPFire,
> > have a lot of time and effort invested, and am loath to switch to a
> > different
> > firewall.
> >
> > Best regards,
> > Paul
>
Hey Michael. Sorry to be a pain. Thank you for your help.
I tested with commit c016773b9816ad9be4ffc8643c30457e87c094e3 and had no luck.
I tried using both the ISP provided DNS and known "good" validating servers.
Shall I rebuild the test image with a later commit?
Paul
next prev parent reply other threads:[~2017-03-30 18:21 UTC|newest]
Thread overview: 18+ messages / expand[flat|nested] mbox.gz Atom feed top
[not found] <1490455220.20288.4.camel@hughes.net>
2017-03-30 16:51 ` Michael Tremer
2017-03-30 18:21 ` Paul Simmons [this message]
[not found] <1490979195.2643.88.camel@ipfire.org>
2017-04-02 16:37 ` Paul Simmons
2017-04-02 18:03 ` Michael Tremer
2017-04-02 19:07 ` Paul Simmons
[not found] <1488903324.21248.2.camel@hughes.net>
2017-03-08 12:09 ` Michael Tremer
2017-03-08 16:19 ` Paul Simmons
2017-03-01 16:11 Michael Tremer
2017-03-01 16:17 ` Michael Tremer
2017-03-01 18:00 ` Paul Simmons
2017-03-03 20:54 ` Paul Simmons
2017-03-05 11:42 ` Michael Tremer
2017-03-06 18:18 ` Paul Simmons
2017-03-06 21:00 ` Michael Tremer
2017-03-06 21:47 ` Paul Simmons
2017-03-06 22:37 ` Michael Tremer
2017-03-06 23:29 ` Paul Simmons
2017-03-07 12:06 ` Michael Tremer
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=1490898063.2753.3.camel@hughes.net \
--to=redneckmother@hughes.net \
--cc=development@lists.ipfire.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox