[Dnsmasq-discuss] Testers wanted: DNSSEC.

Simon Kelley simon at thekelleys.org.uk
Thu Feb 6 11:19:56 GMT 2014

On 05/02/14 08:58, Matthias Andree wrote:
> Am 05.02.2014 09:46, schrieb Simon Kelley:
>> The second answer comes from the cache, and the D0 bit is not set in the
>> query, so the answer doesn't have the AD  flag or RRSIG, if you add
>> "+dnssec" to the dig command you should see both in replies from the cache,
> Thank you. You are right, that part of it works.
> In fact, dnsmasq forwards queries to FreeBSD's local BIND 9.8.4-P2 that
> I configured to also use DNSSEC - the question is if dnscache should
> only ever return back what it would also store into the cache.
> Regarding query logging, I noticed a difference between BOGUS (known bad
> signature) and INSECURE (no signature).  I am not sure if these are
> official terms from the RFCs, but even if the INSECURE is ambiguous -
> and I would like to propose:

The terms come from RFC4033 section 5, but note that dnsmasq doesn't 
distinguish between "insecure" and "indeterminate" as defined there. It 
could do, but at significant performance cost. Currently if dnsmasq gets 
a reply which has no signature, it determines that it's insecure and 
does no further processing. To be able to distinguish such an answer 
between indeterminate and insecure, it would have to  follow the chain 
of trust from the root to find proof of lack of signature of the zone in 
question. Since the external behaviour of dnsmasq is not affected by the 
indeterminate/insecure split, that seems somewhat pointless.

> 1. that the .example configuration file be enhanced with the dnssec
> snippet you use in CHANGELOG - feel free to grab the port's patch from
> <http://svnweb.freebsd.org/ports/head/dns/dnsmasq-devel/files/patch-dnsmasq.conf.example?revision=342621&view=markup&sortby=date>

Will do.

> 2. that the relevant query logging diagnostics and possible results for
> DNSSEC be documented in the manpage, else this part of the manpage
> remains unclear to a user in these respects:
>   - what is a reply, what is a response (in technical documentation,
> please always use the same word for the same subject)
>   - BOGUS and SERVFAIL appear from nowhere without explanation elsewhere
> in the manual.
>>         --dnssec-debug
>>                Set debugging mode for the DNSSEC validation, set  the  Checking
>>                Disabled  bit  on  upstream  queries,  and  don't  convert BOGUS
>>                replies to SERVFAIL responses.
A valid point, this has caused widespread confusion.



> _______________________________________________
> Dnsmasq-discuss mailing list
> Dnsmasq-discuss at lists.thekelleys.org.uk
> http://lists.thekelleys.org.uk/mailman/listinfo/dnsmasq-discuss

More information about the Dnsmasq-discuss mailing list