[Dnsmasq-discuss] Testers wanted: DNSSEC.

Matthias Andree matthias.andree at gmx.de
Wed Feb 5 08:58:14 GMT 2014

Am 05.02.2014 09:46, schrieb Simon Kelley:

> The second answer comes from the cache, and the D0 bit is not set in the
> query, so the answer doesn't have the AD  flag or RRSIG, if you add
> "+dnssec" to the dig command you should see both in replies from the cache,

Thank you. You are right, that part of it works.

In fact, dnsmasq forwards queries to FreeBSD's local BIND 9.8.4-P2 that
I configured to also use DNSSEC - the question is if dnscache should
only ever return back what it would also store into the cache.

Regarding query logging, I noticed a difference between BOGUS (known bad
signature) and INSECURE (no signature).  I am not sure if these are
official terms from the RFCs, but even if the INSECURE is ambiguous -
and I would like to propose:

1. that the .example configuration file be enhanced with the dnssec
snippet you use in CHANGELOG - feel free to grab the port's patch from

2. that the relevant query logging diagnostics and possible results for
DNSSEC be documented in the manpage, else this part of the manpage
remains unclear to a user in these respects:
 - what is a reply, what is a response (in technical documentation,
please always use the same word for the same subject)
 - BOGUS and SERVFAIL appear from nowhere without explanation elsewhere
in the manual.

>        --dnssec-debug
>               Set debugging mode for the DNSSEC validation, set  the  Checking
>               Disabled  bit  on  upstream  queries,  and  don't  convert BOGUS
>               replies to SERVFAIL responses.

More information about the Dnsmasq-discuss mailing list