我使用的是 Ubuntu 14.04.2 LTS。NetworkManager 使用 --proxy-dnssec 选项启动 dnsmasq。但是:
$ dig @127.0.1.1 dnssec-failed.org
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 62850
...
dnssec-failed.org. 5573 IN A 69.252.80.75
...
知道为什么会发生这种情况吗?
谢谢
答案1
您读过吗man dnsmasq
?部分内容如下:
--proxy-dnssec
A resolver on a client machine can do DNSSEC validation in two
ways: it can perform the cryptograhic operations on the reply it
receives, or it can rely on the upstream recursive nameserver to
do the validation and set a bit in the reply if it succeeds.
Dnsmasq is not a DNSSEC validator, so it cannot perform the
validation role of the recursive nameserver, but it can pass
through the validation results from its own upstream
nameservers. This option enables this behaviour. You should only
do this if you trust all the configured upstream nameservers and
the network between you and them. If you use the first DNSSEC
mode, validating resolvers in clients, this option is not
required. Dnsmasq always returns all the data needed for a
client to do validation itself.
因此看起来您的上游解析器没有通过验证结果。
在我的系统上(YMMV):
w3@aardvark:~(0)$ dig @127.0.1.1 dnssec-failed.org
; <<>> DiG 9.9.5-3ubuntu0.8-Ubuntu <<>> @127.0.1.1 dnssec-failed.org
; (1 server found)
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: SERVFAIL, id: 55446
;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 1
;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 4096
;; QUESTION SECTION:
;dnssec-failed.org. IN A
;; Query time: 871 msec
;; SERVER: 127.0.1.1#53(127.0.1.1)
;; WHEN: Thu Apr 28 18:17:59 EDT 2016
;; MSG SIZE rcvd: 46
w3@aardvark:~(0)$ dpkg -l dnsmasq\*
Desired=Unknown/Install/Remove/Purge/Hold
| Status=Not/Inst/Conf-files/Unpacked/halF-conf/Half-inst/trig-aWait/Trig-pend
|/ Err?=(none)/Reinst-required (Status,Err: uppercase=bad)
||/ Name Version Architecture Description
+++-====================================-=======================-=======================-=============================================================================
un dnsmasq <none> <none> (no description available)
ii dnsmasq-base 2.68-1ubuntu0.1 amd64 Small caching DNS proxy and DHCP/TFTP server
w3@aardvark:~(0)$