On Wed, 2017-03-08 at 10:19 -0600, Paul Simmons wrote:
On Wed, 2017-03-08 at 12:09 +0000, Michael Tremer wrote:
Hmm...
That's interesting that only AAAA records fail. No idea why the system is resolving those any ways, but hey...
So when you do
dig @198.41.0.4 a.root-servers.net AAAA +dnssec
does that work?
What does
dig @8.8.8.8 +sigchase +dnssec www.ipfire.org
do?
-Michael
---->% massive snippage here %<----
Sorry for the delay. I have to chase everyone off the network and reboot with another disk (development image) to test, then have to reboot with Core105 and DNSSEC disabled to resume email :).
Here are the results:
# dig @198.41.0.4 a.root-servers.net AAAA +dnssec
; <<>> DiG 9.11.0-P3 <<>> @198.41.0.4 a.root-servers.net AAAA +dnssec ; (1 server found) ;; global options: +cmd ;; Got answer: ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 65258 ;; flags: qr aa rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 0 ;; WARNING: Message has 23 extra bytes at end
;; QUESTION SECTION: ;a.root-servers.net. IN AAAA
;; Query time: 1 msec ;; SERVER: 198.41.0.4#53(198.41.0.4) ;; WHEN: Wed Mar 08 09:56:11 CST 2017 ;; MSG SIZE rcvd: 59
# dig @8.8.8.8 +sigchase +dnssec www.ipfire.org ;; Warning: Message parser reports malformed message packet. ;; NO ANSWERS: no more We want to prove the non-existence of a type of rdata 1 or of the zone: ;; nothing in authority section : impossible to validate the non- existence : FAILED
;; Impossible to verify the Non-existence, the NSEC RRset can't be validated: FAILED
Thank you, Paul
Additional information:
On Core105, I have an override in /etc/sysconfig/dnsmasq: ENABLE_DNSSEC=0
If I remove this, DNS resolution outside of my private network fails.
I've had a long conversation with HughesNet Community Support (such as it is), to no avail.
Hughes has no plans to support DNSSEC in the near future, and there's no way to prevent the modem (HN9000) from caching / spoofing / mangling DNS traffic.
There are no other providers available - no DSL, no cable, no fiber, no wireless, no cellular, no anything. If I had the funds, I'd create my own NLOS WISP and make a tidy profit out here "in the sticks". Goodness knows, I'd like a reprieve from high cost, data caps, high latency, rain fade, and miserable throughput. Please, is there any way to fall back to insecure DNS with IPFire's unbound configuration? I realize my situation is a "corner case", but I like IPFire, have a lot of time and effort invested, and am loath to switch to a different firewall.
Best regards, Paul