[Dnsmasq-discuss] Testers wanted: DNSSEC.
simon at thekelleys.org.uk
Tue Feb 4 15:29:19 GMT 2014
DNSSEC in dnsmasq is a long story. There have been requests for the
feature for at least five years, and work was started in earnest two
years ago, when Giovanni Bajo got much of the way on validation, and I
made the necessary changes to the cache code. That effort stalled until
this winter, when grant from Comcast
allowed me to work full-time to get things moving again.
The result is dnsmasq-2.69test5, in git and the website now, which is
ready for testers, the more the better. From the release notes:
DNSSEC validation and caching. Dnsmasq needs to be
compiled with this enabled, with
make dnsmasq COPTS=-DHAVE_DNSSEC
this add dependencies on the nettle crypto library and the
gmp maths library. It's possible to have these linked
make dnsmasq COPTS='-DHAVE_DNSSEC -DHAVE_DNSSEC_STATIC'
which bloats the dnsmasq binary to over a megabyte, but
saves the size of the shared libraries which are five
times that size.
To enable, DNSSEC, you will need a set of
trust-anchors. Now that the TLDs are signed, this can be
the keys for the root zone, and for convenience they are
included in trust-anchors.conf in the dnsmasq
distribution. You should of course check that these are
legitimate and up-to-date. So, adding
to your config is all thats needed to get things
working. The upstream nameservers have to be DNSSEC-capable
too, of course. Many ISP nameservers aren't, but the
Google public nameservers (184.108.40.206 and 220.127.116.11) are.
When DNSSEC is configured, dnsmasq validates any queries
for domains which are signed. Query results which are
bogus are replaced with SERVFAIL replies, and results
which are correctly signed have the AD bit set. In
addition, and just as importantly, dnsmasq supplies
correct DNSSEC information to clients which are doing
their own validation, and caches DNSKEY, DS and RRSIG
records, which significantly improve the performance of
downstream validators. Setting --log-queries will shoow
DNSSEC in action.
I've been using this code in production here for 24 hours without
problems, so it's probably fine, but certainly alpha, and you're advised
to have a fallback path, just in case. It's pretty much complete, except
for NSEC3 validation. NXDOMAIN/NODATA replies for zones which use this
will be wrongly classed as INSECURE at the moment.
So, please go for it, and report results here.
More information about the Dnsmasq-discuss