[Dnsmasq-discuss] forwarding signed requests
simon at thekelleys.org.uk
Wed Mar 18 09:46:07 GMT 2009
Philip Craig wrote:
> Why does dnsmasq have support for forwarding signed requests?
> The changelog indicates that this was added for dynamic dns updates.
> But I've tried to understand how dns updates work from RFC 2136, and
> also Microsoft's description at:
> and my understanding is that the client will only send these requests
> to the primary server for the domain, which will never be the dnsmasq
> ie the process is:
> 1. send a SOA query to dnsmasq (no signing needed)
> 2. send an update request to the primary server (signed)
> The RFC does talk about forwarding, but only in the context of
> a zone slave forwarding to a master, which does not apply for dnsmasq.
> What am I missing?
The intention of the code is to avoid invalidating the signature of
signed packets by forwarding queries and returning replies bit-perfect
unaltered. The motivation for doing this is to allow DNSSEC to function,
not for dynamic dns updates.
> The reason I ask is that I am looking at adding some support for
> retrying different servers for timeouts or NXDOMAIN responses,
> which will require storing either the original query or a
> NXDOMAIN response, and I'm trying to understand how the signed
> request support should interact with this.
You should be aware that I'm very unlikely to accept such code into the
> Dnsmasq-discuss mailing list
> Dnsmasq-discuss at lists.thekelleys.org.uk
More information about the Dnsmasq-discuss