← Back to team overview

touch-packages team mailing list archive

[Bug 995332] Re: Please enhance NetworkManager such that DNSSEC validation is done whenever possible

 

For some reason, subsequent DNS queries do not always bring the same
result here with the above configuration:

First queries after a reboot return what's expected:

nicolas@nicolas-desktop:~ 0 $ dig www.dnssec-failed.org

; <<>> DiG 9.9.5-11ubuntu1.1-Ubuntu <<>> www.dnssec-failed.org
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: SERVFAIL, id: 32530
;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 4096
;; QUESTION SECTION:
;www.dnssec-failed.org.		IN	A

;; Query time: 127 msec
;; SERVER: 127.0.1.1#53(127.0.1.1)
;; WHEN: Sat Jan 02 13:11:49 CET 2016
;; MSG SIZE  rcvd: 50


And then, suddenly:

nicolas@nicolas-desktop:~ 0 $ dig www.dnssec-failed.org

; <<>> DiG 9.9.5-11ubuntu1.1-Ubuntu <<>> www.dnssec-failed.org
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 21156
;; flags: qr rd ra; QUERY: 1, ANSWER: 2, AUTHORITY: 0, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 4096
;; QUESTION SECTION:
;www.dnssec-failed.org.		IN	A

;; ANSWER SECTION:
www.dnssec-failed.org.	3407	IN	A	69.252.193.191
www.dnssec-failed.org.	3407	IN	A	68.87.109.242

;; Query time: 12 msec
;; SERVER: 127.0.1.1#53(127.0.1.1)
;; WHEN: Sat Jan 02 13:11:50 CET 2016
;; MSG SIZE  rcvd: 82


Do someone have an idea of what is going on?

-- 
You received this bug notification because you are a member of Ubuntu
Touch seeded packages, which is subscribed to dnsmasq in Ubuntu.
https://bugs.launchpad.net/bugs/995332

Title:
  Please enhance NetworkManager such that DNSSEC validation is done
  whenever possible

Status in dnsmasq package in Ubuntu:
  Invalid
Status in network-manager package in Ubuntu:
  Triaged

Bug description:
  Network Manager in Precise uses a local forwarding DNS server
  (dnsmasq).  This does not perform DNSSEC validation, although it is
  configured to proxy the DNSSEC validation result from the upstream
  server, for which the manpage mentions the following caveat:

  "You should only do this if you trust all the configured upstream
  nameservers and the network between you and them."

  Since not all networks or upstream DNS servers are trustworthy, the
  safest place to perform DNSSEC validation is on the client.  Using a
  local DNS server which cannot validate is a missed opportunity; by
  replacing dnsmasq with a more-capable DNS server (e.g. Unbound)
  security against DNS poisoning and MITM attacks could be improved.

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/dnsmasq/+bug/995332/+subscriptions