[Dnsmasq-discuss] Testers wanted: DNSSEC.
Eugene Rudoy
gene.devel at gmail.com
Tue Feb 4 23:31:54 GMT 2014
Hi Simon,
hmm, doesn't work for me yet. *All* replies are considered to be INSECURE.
Feb 5 00:14:50 fb daemon.info dnsmasq[4022]: started, version
2.69test6 cachesize 256
Feb 5 00:14:50 fb daemon.info dnsmasq[4022]: compile time options:
no-IPv6 GNU-getopt no-DBus no-i18n no-IDN DHCP no-DHCPv6 no-Lua TFTP
no-conntrack ipset auth DNSSEC
Feb 5 00:14:50 fb daemon.info dnsmasq[4022]: DNSSEC validation enabled
Feb 5 00:14:50 fb daemon.info dnsmasq[4022]: asynchronous logging
enabled, queue limit is 10 messages
Feb 5 00:14:50 fb daemon.info dnsmasq-dhcp[4022]: DHCP, IP range
192.168.xx.20 -- 192.168.xx.99, lease time 12h
Feb 5 00:14:50 fb daemon.info dnsmasq-tftp[4022]: TFTP root is /tftproot
Feb 5 00:14:50 fb daemon.info dnsmasq[4022]: using nameserver 8.8.4.4#53
Feb 5 00:14:50 fb daemon.info dnsmasq[4022]: using nameserver 8.8.8.8#53
Feb 5 00:14:50 fb daemon.info dnsmasq[4022]: read /etc/hosts - 23 addresses
Feb 5 00:14:50 fb daemon.info dnsmasq-dhcp[4022]: read /etc/ethers -
3 addresses
Feb 5 00:22:19 fb daemon.info dnsmasq[4022]: query[A] www.google.com
from 192.168.xx.20
Feb 5 00:22:19 fb daemon.info dnsmasq[4022]: forwarded www.google.com
to 8.8.8.8
Feb 5 00:22:19 fb daemon.info dnsmasq[4022]: validation result is INSECURE
Feb 5 00:22:19 fb daemon.info dnsmasq[4022]: reply www.google.com is
173.194.69.99
Feb 5 00:22:19 fb daemon.info dnsmasq[4022]: reply www.google.com is
173.194.69.103
Feb 5 00:22:19 fb daemon.info dnsmasq[4022]: reply www.google.com is
173.194.69.106
Feb 5 00:22:19 fb daemon.info dnsmasq[4022]: reply www.google.com is
173.194.69.147
Feb 5 00:22:19 fb daemon.info dnsmasq[4022]: reply www.google.com is
173.194.69.105
Feb 5 00:22:19 fb daemon.info dnsmasq[4022]: reply www.google.com is
173.194.69.104
Feb 5 00:22:58 fb daemon.info dnsmasq[4022]: query[A]
www.facebook.com from 192.168.xx.20
Feb 5 00:22:58 fb daemon.info dnsmasq[4022]: forwarded
www.facebook.com to 8.8.8.8
Feb 5 00:22:58 fb daemon.info dnsmasq[4022]: validation result is INSECURE
Feb 5 00:22:58 fb daemon.info dnsmasq[4022]: reply www.facebook.com is <CNAME>
Feb 5 00:22:58 fb daemon.info dnsmasq[4022]: reply
star.c10r.facebook.com is 31.13.81.49
Best regards,
Gene
On Tue, Feb 4, 2014 at 4:29 PM, Simon Kelley <simon at thekelleys.org.uk> wrote:
> DNSSEC in dnsmasq is a long story. There have been requests for the feature
> for at least five years, and work was started in earnest two years ago, when
> Giovanni Bajo got much of the way on validation, and I made the necessary
> changes to the cache code. That effort stalled until this winter, when
> grant from Comcast
> (http://techfund.comcast.com/index.php/home/root/comcast-news/summer-2013-project-support-update)
> allowed me to work full-time to get things moving again.
>
>
> The result is dnsmasq-2.69test5, in git and the website now, which is ready
> for testers, the more the better. From the release notes:
>
> DNSSEC validation and caching. Dnsmasq needs to be
> compiled with this enabled, with
>
> make dnsmasq COPTS=-DHAVE_DNSSEC
>
> this add dependencies on the nettle crypto library and the
> gmp maths library. It's possible to have these linked
> statically with
>
> make dnsmasq COPTS='-DHAVE_DNSSEC -DHAVE_DNSSEC_STATIC'
>
> which bloats the dnsmasq binary to over a megabyte, but
> saves the size of the shared libraries which are five
> times that size.
> To enable, DNSSEC, you will need a set of
> trust-anchors. Now that the TLDs are signed, this can be
> the keys for the root zone, and for convenience they are
> included in trust-anchors.conf in the dnsmasq
> distribution. You should of course check that these are
> legitimate and up-to-date. So, adding
>
> conf-file=/path/to/trust-anchors.conf
> dnssec
>
> to your config is all thats needed to get things
> working. The upstream nameservers have to be DNSSEC-capable
> too, of course. Many ISP nameservers aren't, but the
> Google public nameservers (8.8.8.8 and 8.8.4.4) are.
> When DNSSEC is configured, dnsmasq validates any queries
> for domains which are signed. Query results which are
> bogus are replaced with SERVFAIL replies, and results
> which are correctly signed have the AD bit set. In
> addition, and just as importantly, dnsmasq supplies
> correct DNSSEC information to clients which are doing
> their own validation, and caches DNSKEY, DS and RRSIG
> records, which significantly improve the performance of
> downstream validators. Setting --log-queries will shoow
> DNSSEC in action.
>
>
> I've been using this code in production here for 24 hours without problems,
> so it's probably fine, but certainly alpha, and you're advised to have a
> fallback path, just in case. It's pretty much complete, except for NSEC3
> validation. NXDOMAIN/NODATA replies for zones which use this will be wrongly
> classed as INSECURE at the moment.
>
> So, please go for it, and report results here.
>
>
>
> Cheers,
>
> Simon.
>
>
>
> _______________________________________________
> Dnsmasq-discuss mailing list
> Dnsmasq-discuss at lists.thekelleys.org.uk
> http://lists.thekelleys.org.uk/mailman/listinfo/dnsmasq-discuss
More information about the Dnsmasq-discuss
mailing list