[getdns-users] First release candidate for getdns-1.2.1 - but still trouble

A. Schulze sca at andreasschulze.de
Mon Nov 6 19:48:55 UTC 2017 


Am 03.11.2017 um 21:50 schrieb Willem Toorop:

> We have a first release candidate for the upcoming 1.2.1 bugfix release
> of getdns.

Hello Willem,

I compiled the version - no warnings - no noise.

But - unrelated to this version - I have still trouble if "dnssec_return_status: GETDNS_EXTENSION_TRUE" is enabled.
In this case I get no answers.

here is my working setup:

# cat /etc/resolv.conf
nameserver 127.0.0.1

# cat /etc/unbound/root.key
. IN DS 19036 8 2 49AAC11D7B6F6446702E54A1607371607A1A41855200FD2CE1CDDE32F24E8FB5
. IN DS 20326 8 2 E06D44B80B8F1D39A95C0B0D7C65D08458E880409BBC683457104237C7F8EC8D

# cat /root/.stubby.yml
dns_transport_list:
  - GETDNS_TRANSPORT_TLS
tls_authentication: GETDNS_AUTHENTICATION_REQUIRED
#dnssec_return_status: GETDNS_EXTENSION_TRUE
listen_addresses:
  - 127.0.0.1
upstream_recursive_servers:
  - address_data: 145.100.185.15
    tls_auth_name: "dnsovertls.sinodun.com"
    tls_pubkey_pinset:
      - digest: "sha256"
        value: 62lKu9HsDVbyiPenApnc4sfmSYTHOVfFgL3pyB+cBL4=

# stubby -C /root/.stubby.yml -i > /dev/null | tail -n 1
[19:25:53.102282] STUBBY: Read config from file /root/.stubby.yml
Result: Config file syntax is valid.

# stubby -C /root/.stubby.yml &

# dig dnssec-failed.org +dnssec +noall +answer

;; ANSWER SECTION:
dnssec-failed.org.      7155    IN      A       69.252.80.75
dnssec-failed.org.      7155    IN      RRSIG   A 5 2 7200 20171113150538 20171102150038 44973 dnssec-failed.org. juxwes...nsQE=

# dig andreasschulze.de +dnssec +noall +answer

;; ANSWER SECTION:
andreasschulze.de.      439     IN      A       188.194.67.116
andreasschulze.de.      544     IN      RRSIG   A 8 2 600 20171116191712 20171106191712 29011 andreasschulze.de. LWfRy...gg==

I expect to get no answer for dnssec-failed.org if I enable "dnssec_return_status: GETDNS_EXTENSION_TRUE"
If I restart stubby I get this:

# dig dnssec-failed.org +dnssec

; <<>> DiG 9.10.3-P4-Debian <<>> dnssec-failed.org +dnssec
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: SERVFAIL, id: 61836
;; flags: qr rd; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 0
;; WARNING: recursion requested but not available

;; QUESTION SECTION:
;dnssec-failed.org.             IN      A

;; Query time: 0 msec
;; SERVER: 127.0.0.1#53(127.0.0.1)
;; WHEN: Mon Nov 06 20:38:54 CET 2017
;; MSG SIZE  rcvd: 35

-> that's fine!
but:

# dig andreasschulze.de +dnssec

; <<>> DiG 9.10.3-P4-Debian <<>> andreasschulze.de +dnssec
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: SERVFAIL, id: 33838
;; flags: qr rd; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 0
;; WARNING: recursion requested but not available

;; QUESTION SECTION:
;andreasschulze.de.             IN      A

;; Query time: 0 msec
;; SERVER: 127.0.0.1#53(127.0.0.1)
;; WHEN: Mon Nov 06 20:43:03 CET 2017
;; MSG SIZE  rcvd: 35

That's not so good :-/

The only thing I noticed: a new directory "/root/.getdns/" was created. But the directory is empty.
Do I misunderstood something completely wrong or are some files missing in my package?

Andreas

More information about the Users mailing list