[Dnsmasq-discuss] Testers wanted: DNSSEC.

Simon Kelley simon at thekelleys.org.uk
Tue Feb 4 15:29:19 GMT 2014

DNSSEC in dnsmasq is a long story. There have been requests for the 
feature for at least five years, and work was started in earnest two 
years ago, when Giovanni Bajo got much of the way on validation, and I 
made the necessary changes to the cache code. That effort stalled until 
this winter, when  grant from Comcast 
allowed me to work full-time to get things moving again.

The result is dnsmasq-2.69test5, in git and the website now, which is 
ready for testers, the more the better. From the release notes:

             DNSSEC validation and caching. Dnsmasq needs to be
             compiled with this enabled, with

             make dnsmasq COPTS=-DHAVE_DNSSEC

             this add dependencies on the nettle crypto library and the
             gmp maths library. It's possible to have these linked
             statically with

             make dnsmasq COPTS='-DHAVE_DNSSEC -DHAVE_DNSSEC_STATIC'

             which bloats the dnsmasq binary to over a megabyte, but
             saves the size of the shared libraries which are five
             times that size.
             To enable, DNSSEC, you will need a set of
             trust-anchors. Now that the TLDs are signed, this can be
             the keys for the root zone, and for convenience they are
             included in trust-anchors.conf in the dnsmasq
             distribution. You should of course check that these are
             legitimate and up-to-date. So, adding


             to your config is all thats needed to get things
             working. The upstream nameservers have to be DNSSEC-capable
             too, of course. Many ISP nameservers aren't, but the
             Google public nameservers ( and are.
             When DNSSEC is configured, dnsmasq validates any queries
             for domains which are signed. Query results which are
             bogus are replaced with SERVFAIL replies, and results
             which are correctly signed have the AD bit set. In
             addition, and just as importantly, dnsmasq supplies
             correct DNSSEC information to clients which are doing
             their own validation, and caches DNSKEY, DS and RRSIG
             records, which significantly improve the performance of
             downstream validators. Setting --log-queries will shoow
             DNSSEC in action.

I've been using this code in production here for 24 hours without 
problems, so it's probably fine, but certainly alpha, and you're advised 
to have a fallback path, just in case. It's pretty much complete, except 
for NSEC3 validation. NXDOMAIN/NODATA replies for zones which use this 
will be wrongly classed as INSECURE at the moment.

So, please go for it, and report results here.



More information about the Dnsmasq-discuss mailing list