[Dnsmasq-discuss] Testers wanted: DNSSEC.
simon at thekelleys.org.uk
Thu Feb 6 10:27:52 GMT 2014
On 05/02/14 23:35, Eugene Rudoy wrote:
> Hi Simon,
> On Thu, Feb 6, 2014 at 12:23 AM, Eugene Rudoy <gene.devel at gmail.com> wrote:
>> hmm, tried all above, still INSECURE
> --dnssec-debug doesn't make log more verbose or provide any additional
> information. Is it the expected behavior?
It does two things, the results of which are not externally obvious.
1) It sets the cd (checking disabled) bit in upstream queries, so that
it's possible to check that invalid data is identified, rather than
just getting a SERVFAIL from the upstream server.
2) It suppresses SERVFAIL as the reply to queries whose answer doesn't
verify, for similar reasons.
More information about the Dnsmasq-discuss