[Dnsmasq-discuss] Good idea or bad idea: DNSSEC support?
Simon Kelley
simon at thekelleys.org.uk
Sat Dec 8 16:51:39 GMT 2007
Jima wrote:
> Simon et al,
>
> There's a bit of an interesting ongoing discussion on the
> fedora-devel-list regarding caching DNS servers. Evidently ISC BIND is
> dropping DBus support, which creates a bit of a void for what
> NetworkManager could talk to about upstream DNS servers. An early
> suggestion in the discussion[1] was dnsmasq.
> However, there were some people who were concerned about the lack of
> DNSSEC parsing/validation support in dnsmasq[2]. The question (okay,
> doubt) came up as to whether you'd even want to add such support[3], which
> is quite understandable if you didn't. Either way, though, there does
> appear to be some willingness from NetworkManager upstream to use
> dnsmasq[4] (what, like 2 years after you added DBus support for that very
> purpose?).
> So, yay or nay? I'm not looking for a firm commitment, just a "maybe" or
> a "hell no." ;-)
>
> Thanks!
>
> Jima
>
> 1. https://www.redhat.com/archives/fedora-devel-list/2007-December/msg00181.html
> 2. https://www.redhat.com/archives/fedora-devel-list/2007-December/msg00466.html
> 3. https://www.redhat.com/archives/fedora-devel-list/2007-December/msg00508.html
> 4. https://www.redhat.com/archives/fedora-devel-list/2007-December/msg00507.html
>
You're right that dnsmasq attempts to preserve security information: to
the extent that signed packets are passed through bit-perfect to avoid
breaking the signature, It doesn't, however actually know about DNSSEC
at all.
My attitude is that I'm very happy to take a patch which implements
checking (preferably with suitable #ifdefs so it can be ommitted, if
it's big). I'm not in a position to do the work myself at the moment. I
don't have the knowledge, and I don't have the time to aquire it.
Cheers,
Simon.
More information about the Dnsmasq-discuss
mailing list