[384.11_2] New DNS errors in log

[RocketJSquirrel]

Since updating to 384.11, I've been seeing lots of DNS errors. I have enabled DNS-over-TLS, but don't really understand optimal setup. What happens with the other DNS server fields in the web GUI? Are they ignored? Not knowing what else to do with them, I've set them the same as my DoT servers. I'm using Cloudflare and Google for both IPv4 and v6.

Anyway, here are a few of the log errors; just a sample, there are dozens. Can anyone clue me in to what I have misconfigured?

May 20 13:46:15 dnsmasq[208]: Insecure DS reply received for d3a13n3.rootcanary.net, could be bad domain configuration or lack of DNSSEC support from upstream DNS servers
May 20 16:45:23 dnsmasq[208]: Insecure DS reply received for 168.192.in-addr.arpa, could be bad domain configuration or lack of DNSSEC support from upstream DNS servers
May 20 17:35:41 dnsmasq[208]: Insecure DS reply received for 10.in-addr.arpa, could be bad domain configuration or lack of DNSSEC support from upstream DNS servers

 

[ColinTaylor]

Looks like there's been quite a lot of discussion about these messages before. For example,

https://www.snbforums.com/threads/b...ta-is-now-available.56325/page-26#post-486737

 

[Swistheater]

yes it has to do with using DNSMASQ DNSSEC--- it will not pass any DS and signing algorithms that your resolver does not validate. so it will create a serve fail and the page will not load.

this is due to the strictness of the "validate unsigned signatures" option

some DNS servers are much more friendly with this than others.

google DoT vs cloudflare DoT vs quad 9 DoT

this was with Cloudflare DoT using DNSSEC via DNSMASQ with the Validate Unsigned signatures flagged.

these were some of the logged responses from the test

ay  2 16:14:37 dnsmasq[21778]: Insecure DS reply received for d2a6n3.rootcanary.net, could be bad domain configuration or lack of DNSSEC support from upstream DNS servers
May  2 16:14:37 dnsmasq[21778]: Insecure DS reply received for d1a3n1.rootcanary.net, could be bad domain configuration or lack of DNSSEC support from upstream DNS servers
May  2 16:14:37 dnsmasq[21778]: Insecure DS reply received for d1a6n3.rootcanary.net, could be bad domain configuration or lack of DNSSEC support from upstream DNS servers
May  2 16:14:37 dnsmasq[21778]: Insecure DS reply received for d3a6n3.rootcanary.net, could be bad domain configuration or lack of DNSSEC support from upstream DNS servers
May  2 16:14:37 dnsmasq[21778]: Insecure DS reply received for d2a6n3.rootcanary.net, could be bad domain configuration or lack of DNSSEC support from upstream DNS servers
May  2 16:14:37 dnsmasq[21778]: Insecure DS reply received for d3a3n1.rootcanary.net, could be bad domain configuration or lack of DNSSEC support from upstream DNS servers
May  2 16:14:37 dnsmasq[21778]: Insecure DS reply received for d3a10n3.rootcanary.net, could be bad domain configuration or lack of DNSSEC support from upstream DNS servers
May  2 16:14:37 dnsmasq[21778]: Insecure DS reply received for d3a3n1.rootcanary.net, could be bad domain configuration or lack of DNSSEC support from upstream DNS servers
May  2 16:14:37 dnsmasq[21778]: Insecure DS reply received for d1a6n3.rootcanary.net, could be bad domain configuration or lack of DNSSEC support from upstream DNS servers
May  2 16:14:37 dnsmasq[21778]: Insecure DS reply received for d1a3n1.rootcanary.net, could be bad domain configuration or lack of DNSSEC support from upstream DNS servers
May  2 16:14:37 dnsmasq[21778]: Insecure DS reply received for d3a14n3.rootcanary.net, could be bad domain configuration or lack of DNSSEC support from upstream DNS servers
May  2 16:14:37 dnsmasq[21778]: Insecure DS reply received for d3a5n1.rootcanary.net, could be bad domain configuration or lack of DNSSEC support from upstream DNS servers
May  2 16:14:37 dnsmasq[21778]: Insecure DS reply received for d4a6n3.rootcanary.net, could be bad domain configuration or lack of DNSSEC support from upstream DNS servers
May  2 16:14:37 dnsmasq[21778]: Insecure DS reply received for d3a5n1.rootcanary.net, could be bad domain configuration or lack of DNSSEC support from upstream DNS servers

Notice the message "lack of DNSSEC support from upstream DNS servers"

 

[bbunge]

When we had DNSSEC through stubby the error messages did not show and the system worked perfectly well. Folks were not worried about those "failures" as they were out of sight. Someone wanted the enhanced dnsmasq logging and now folks can worry over "errors" that don't really matter.
Just my $0.02 worth.

Sent from my SM-T380 using Tapatalk

 

[Swistheater]

Here are some test I did using other Methods

• Without DNSSEC
• With DNSMASQ DNSSEC w/o option of validate unsigned signatures
• With DNSMASQ DNSSEC with option of validate unsigned signatures
• With DNSSEC via Stubby.yml option (for this option gui dnssec must be disabled and .yml file needs to be configured using stubby.postconf script)

 

[Swistheater]

When we had DNSSEC through stubby the error messages did not show and the system worked perfectly well. Folks were not worried about those "failures" as they were out of sight. Someone wanted the enhanced dnsmasq logging and now folks can worry over "errors" that don't really matter.
Just my $0.02 worth.

Sent from my SM-T380 using Tapatalk

I believe the issue with all the errors lies in the translation from DoT down to dnsmasq dnssec vs if you just had a basic setup running with dnssec turned on you don't see these errors. if DNSSEC is dealt with inside stubby.yml you do not have this translation issue either, because the dnssec is handled before it is passed back.