[Dnsmasq-discuss] Testers wanted: DNSSEC.

Eugene Rudoy gene.devel at gmail.com
Tue Feb 4 23:31:54 GMT 2014 

Hi Simon,

hmm, doesn't work for me yet. *All* replies are considered to be INSECURE.

Feb  5 00:14:50 fb daemon.info dnsmasq[4022]: started, version
2.69test6 cachesize 256
Feb  5 00:14:50 fb daemon.info dnsmasq[4022]: compile time options:
no-IPv6 GNU-getopt no-DBus no-i18n no-IDN DHCP no-DHCPv6 no-Lua TFTP
no-conntrack ipset auth DNSSEC
Feb  5 00:14:50 fb daemon.info dnsmasq[4022]: DNSSEC validation enabled
Feb  5 00:14:50 fb daemon.info dnsmasq[4022]: asynchronous logging
enabled, queue limit is 10 messages
Feb  5 00:14:50 fb daemon.info dnsmasq-dhcp[4022]: DHCP, IP range
192.168.xx.20 -- 192.168.xx.99, lease time 12h
Feb  5 00:14:50 fb daemon.info dnsmasq-tftp[4022]: TFTP root is /tftproot
Feb  5 00:14:50 fb daemon.info dnsmasq[4022]: using nameserver 8.8.4.4#53
Feb  5 00:14:50 fb daemon.info dnsmasq[4022]: using nameserver 8.8.8.8#53
Feb  5 00:14:50 fb daemon.info dnsmasq[4022]: read /etc/hosts - 23 addresses
Feb  5 00:14:50 fb daemon.info dnsmasq-dhcp[4022]: read /etc/ethers -
3 addresses

Feb  5 00:22:19 fb daemon.info dnsmasq[4022]: query[A] www.google.com
from 192.168.xx.20
Feb  5 00:22:19 fb daemon.info dnsmasq[4022]: forwarded www.google.com
to 8.8.8.8
Feb  5 00:22:19 fb daemon.info dnsmasq[4022]: validation result is INSECURE
Feb  5 00:22:19 fb daemon.info dnsmasq[4022]: reply www.google.com is
173.194.69.99
Feb  5 00:22:19 fb daemon.info dnsmasq[4022]: reply www.google.com is
173.194.69.103
Feb  5 00:22:19 fb daemon.info dnsmasq[4022]: reply www.google.com is
173.194.69.106
Feb  5 00:22:19 fb daemon.info dnsmasq[4022]: reply www.google.com is
173.194.69.147
Feb  5 00:22:19 fb daemon.info dnsmasq[4022]: reply www.google.com is
173.194.69.105
Feb  5 00:22:19 fb daemon.info dnsmasq[4022]: reply www.google.com is
173.194.69.104

Feb  5 00:22:58 fb daemon.info dnsmasq[4022]: query[A]
www.facebook.com from 192.168.xx.20
Feb  5 00:22:58 fb daemon.info dnsmasq[4022]: forwarded
www.facebook.com to 8.8.8.8
Feb  5 00:22:58 fb daemon.info dnsmasq[4022]: validation result is INSECURE
Feb  5 00:22:58 fb daemon.info dnsmasq[4022]: reply www.facebook.com is <CNAME>
Feb  5 00:22:58 fb daemon.info dnsmasq[4022]: reply
star.c10r.facebook.com is 31.13.81.49

Best regards,
Gene

On Tue, Feb 4, 2014 at 4:29 PM, Simon Kelley <simon at thekelleys.org.uk> wrote:
> DNSSEC in dnsmasq is a long story. There have been requests for the feature
> for at least five years, and work was started in earnest two years ago, when
> Giovanni Bajo got much of the way on validation, and I made the necessary
> changes to the cache code. That effort stalled until this winter, when
> grant from Comcast
> (http://techfund.comcast.com/index.php/home/root/comcast-news/summer-2013-project-support-update)
> allowed me to work full-time to get things moving again.
>
>
> The result is dnsmasq-2.69test5, in git and the website now, which is ready
> for testers, the more the better. From the release notes:
>
>             DNSSEC validation and caching. Dnsmasq needs to be
>             compiled with this enabled, with
>
>             make dnsmasq COPTS=-DHAVE_DNSSEC
>
>             this add dependencies on the nettle crypto library and the
>             gmp maths library. It's possible to have these linked
>             statically with
>
>             make dnsmasq COPTS='-DHAVE_DNSSEC -DHAVE_DNSSEC_STATIC'
>
>             which bloats the dnsmasq binary to over a megabyte, but
>             saves the size of the shared libraries which are five
>             times that size.
>             To enable, DNSSEC, you will need a set of
>             trust-anchors. Now that the TLDs are signed, this can be
>             the keys for the root zone, and for convenience they are
>             included in trust-anchors.conf in the dnsmasq
>             distribution. You should of course check that these are
>             legitimate and up-to-date. So, adding
>
>             conf-file=/path/to/trust-anchors.conf
>             dnssec
>
>             to your config is all thats needed to get things
>             working. The upstream nameservers have to be DNSSEC-capable
>             too, of course. Many ISP nameservers aren't, but the
>             Google public nameservers (8.8.8.8 and 8.8.4.4) are.
>             When DNSSEC is configured, dnsmasq validates any queries
>             for domains which are signed. Query results which are
>             bogus are replaced with SERVFAIL replies, and results
>             which are correctly signed have the AD bit set. In
>             addition, and just as importantly, dnsmasq supplies
>             correct DNSSEC information to clients which are doing
>             their own validation, and caches DNSKEY, DS and RRSIG
>             records, which significantly improve the performance of
>             downstream validators. Setting --log-queries will shoow
>             DNSSEC in action.
>
>
> I've been using this code in production here for 24 hours without problems,
> so it's probably fine, but certainly alpha, and you're advised to have a
> fallback path, just in case. It's pretty much complete, except for NSEC3
> validation. NXDOMAIN/NODATA replies for zones which use this will be wrongly
> classed as INSECURE at the moment.
>
> So, please go for it, and report results here.
>
>
>
> Cheers,
>
> Simon.
>
>
>
> _______________________________________________
> Dnsmasq-discuss mailing list
> Dnsmasq-discuss at lists.thekelleys.org.uk
> http://lists.thekelleys.org.uk/mailman/listinfo/dnsmasq-discuss

More information about the Dnsmasq-discuss mailing list