[Dnsmasq-discuss] Testers wanted: DNSSEC.
simon at thekelleys.org.uk
Thu Feb 6 11:19:56 GMT 2014
On 05/02/14 08:58, Matthias Andree wrote:
> Am 05.02.2014 09:46, schrieb Simon Kelley:
>> The second answer comes from the cache, and the D0 bit is not set in the
>> query, so the answer doesn't have the AD flag or RRSIG, if you add
>> "+dnssec" to the dig command you should see both in replies from the cache,
> Thank you. You are right, that part of it works.
> In fact, dnsmasq forwards queries to FreeBSD's local BIND 9.8.4-P2 that
> I configured to also use DNSSEC - the question is if dnscache should
> only ever return back what it would also store into the cache.
> Regarding query logging, I noticed a difference between BOGUS (known bad
> signature) and INSECURE (no signature). I am not sure if these are
> official terms from the RFCs, but even if the INSECURE is ambiguous -
> and I would like to propose:
The terms come from RFC4033 section 5, but note that dnsmasq doesn't
distinguish between "insecure" and "indeterminate" as defined there. It
could do, but at significant performance cost. Currently if dnsmasq gets
a reply which has no signature, it determines that it's insecure and
does no further processing. To be able to distinguish such an answer
between indeterminate and insecure, it would have to follow the chain
of trust from the root to find proof of lack of signature of the zone in
question. Since the external behaviour of dnsmasq is not affected by the
indeterminate/insecure split, that seems somewhat pointless.
> 1. that the .example configuration file be enhanced with the dnssec
> snippet you use in CHANGELOG - feel free to grab the port's patch from
> 2. that the relevant query logging diagnostics and possible results for
> DNSSEC be documented in the manpage, else this part of the manpage
> remains unclear to a user in these respects:
> - what is a reply, what is a response (in technical documentation,
> please always use the same word for the same subject)
> - BOGUS and SERVFAIL appear from nowhere without explanation elsewhere
> in the manual.
>> Set debugging mode for the DNSSEC validation, set the Checking
>> Disabled bit on upstream queries, and don't convert BOGUS
>> replies to SERVFAIL responses.
A valid point, this has caused widespread confusion.
> Dnsmasq-discuss mailing list
> Dnsmasq-discuss at lists.thekelleys.org.uk
More information about the Dnsmasq-discuss