On Wed, 2017-03-08 at 10:19 -0600, Paul Simmons wrote:
On Wed, 2017-03-08 at 12:09 +0000, Michael Tremer wrote:


Hmm...

That's interesting that only AAAA records fail. No idea why the
system is
resolving those any ways, but hey...

So when you do

  dig @198.41.0.4 a.root-servers.net AAAA +dnssec

does that work?

What does

  dig @8.8.8.8 +sigchase +dnssec www.ipfire.org

do?

-Michael

---->% massive snippage here %<----



Sorry for the delay. I have to chase everyone off the network and
reboot with another disk (development image) to test, then have to
reboot with Core105 and DNSSEC disabled to resume email :).

Here are the results:

# dig @198.41.0.4 a.root-servers.net AAAA +dnssec

; <<>> DiG 9.11.0-P3 <<>> @198.41.0.4 a.root-servers.net AAAA +dnssec
; (1 server found)
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 65258
;; flags: qr aa rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 0
;; WARNING: Message has 23 extra bytes at end

;; QUESTION SECTION:
;a.root-servers.net.		IN	AAAA

;; Query time: 1 msec
;; SERVER: 198.41.0.4#53(198.41.0.4)
;; WHEN: Wed Mar 08 09:56:11 CST 2017
;; MSG SIZE  rcvd: 59

# dig @8.8.8.8 +sigchase +dnssec www.ipfire.org
;; Warning: Message parser reports malformed message packet.
;; NO ANSWERS: no more
We want to prove the non-existence of a type of rdata 1 or of the zone: 
;; nothing in authority section : impossible to validate the non-existence : FAILED

;; Impossible to verify the Non-existence, the NSEC RRset can't be validated: FAILED

Thank you,
Paul

Additional information:

On Core105, I have an override in /etc/sysconfig/dnsmasq:
ENABLE_DNSSEC=0

If I remove this, DNS resolution outside of my private network fails.

I've had a long conversation with HughesNet Community Support (such as it is), to no avail.

Hughes has no plans to support DNSSEC in the near future, and there's no way to prevent the modem (HN9000) from caching / spoofing / mangling DNS traffic.

There are no other providers available - no DSL, no cable, no fiber, no wireless, no cellular, no anything. If I had the funds, I'd create my own NLOS WISP and make a tidy profit out here "in the sticks". Goodness knows, I'd like a reprieve from high cost, data caps, high latency, rain fade, and miserable throughput.

Please, is there any way to fall back to insecure DNS with IPFire's unbound configuration? I realize my situation is a "corner case", but I like IPFire, have a lot of time and effort invested, and am loath to switch to a different firewall.

Best regards,
Paul