[Dnsmasq-discuss] Good idea or bad idea: DNSSEC support?
richardvoigt at gmail.com
richardvoigt at gmail.com
Sat Dec 8 20:58:51 GMT 2007
On Dec 7, 2007 3:52 PM, Jima <jima at beer.tclug.org> wrote:
> Simon et al,
>
> There's a bit of an interesting ongoing discussion on the
> fedora-devel-list regarding caching DNS servers. Evidently ISC BIND is
> dropping DBus support, which creates a bit of a void for what
> NetworkManager could talk to about upstream DNS servers. An early
> suggestion in the discussion[1] was dnsmasq.
> However, there were some people who were concerned about the lack of
> DNSSEC parsing/validation support in dnsmasq[2]. The question (okay,
> doubt) came up as to whether you'd even want to add such support[3], which
> is quite understandable if you didn't. Either way, though, there does
> appear to be some willingness from NetworkManager upstream to use
> dnsmasq[4] (what, like 2 years after you added DBus support for that very
> purpose?).
> So, yay or nay? I'm not looking for a firm commitment, just a "maybe" or
> a "hell no." ;-)
>
> Thanks!
>
> Jima
>
> 1. https://www.redhat.com/archives/fedora-devel-list/2007-December/msg00181.html
> 2. https://www.redhat.com/archives/fedora-devel-list/2007-December/msg00466.html
> 3. https://www.redhat.com/archives/fedora-devel-list/2007-December/msg00508.html
This Adam seems clueless about end-to-end security. The links
in-between, such as a proxy server, don't matter. It isn't valid to
compare to rsh vs ssh, it might be valid to compare to ssh tunnelled
through ssh vs ssh tunnelled through netcat -- both being secure.
Additionally, a first look at DNSSEC
(http://www.nlnetlabs.nl/dnssec_howto/#x1-3000I) indicates that the
correct point of implementation is the DNS server performing recursive
queries, which dnsmasq is not.
Actually the whole DNSSEC design seems suspect to me at first glance,
due to the lack of end-to-end security. Presumably this is because of
the great effort needed to configure a list of trusted root
certificates on each client, yet https has solved this problem. Why
DNSSEC didn't leverage the pre-existing trusted certificate
authorities is a mystery. Correct me if I'm wrong, but currently the
DNS client (which may be a recursive server) needs an SEP key for
every domain it wishes to use securely? That's enough to make me
skeptical.
AFAICT, the only thing missing when using dnsmasq is that the
locally-answered queries, where the reply data comes from DHCP or
/etc/hosts, won't be signed. Is this the issue being raised? I think
most installations of dnsmasq don't make dnsmasq publicly visible, but
rather for local users only.
> 4. https://www.redhat.com/archives/fedora-devel-list/2007-December/msg00507.html
>
> _______________________________________________
> Dnsmasq-discuss mailing list
> Dnsmasq-discuss at lists.thekelleys.org.uk
> http://lists.thekelleys.org.uk/mailman/listinfo/dnsmasq-discuss
>
More information about the Dnsmasq-discuss
mailing list