[Dnsmasq-discuss] Testers wanted: DNSSEC.

Matthias Andree matthias.andree at gmx.de
Fri Feb 7 08:45:20 GMT 2014


Am 07.02.2014 09:24, schrieb Simon Kelley:
> On 07/02/14 08:21, Jan-Piet Mens wrote:
>>> Answering my previous question, this behaviour is specified in RFC
>>> 6840 para 5.7. Code changes to implement it are in git now.
>>
>> Have they been comitted? ;-) No visible change here ...
> 
> Ooops.   Try now.
> 
> http://thekelleys.org.uk/gitweb/?p=dnsmasq.git;a=commitdiff;h=e243c072b591cdeff8ac00483f5a9e426729534b
> 
> 

I moved forward to test7, and now the FIRST query (the one shipping the
RRSIG and other additional stuff) lacks the AD flag, subsequent
responses carry it.

Do I need to disable DNSSEC verification in the BIND that dnsmasq
forwards to to get useful test results?

> $ dig sigok.verteiltesysteme.net. a +ad
> 
> ; <<>> DiG 9.8.4-P2 <<>> sigok.verteiltesysteme.net. a +ad
> ;; global options: +cmd
> ;; Got answer:
> ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 47460
> ;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 2, ADDITIONAL: 4
> 
> ;; QUESTION SECTION:
> ;sigok.verteiltesysteme.net.	IN	A
> 
> ;; ANSWER SECTION:
> sigok.verteiltesysteme.net. 60	IN	A	134.91.78.139
> 
> ;; AUTHORITY SECTION:
> verteiltesysteme.net.	2698	IN	NS	ns1.verteiltesysteme.net.
> verteiltesysteme.net.	2698	IN	NS	ns2.verteiltesysteme.net.
> 
> ;; ADDITIONAL SECTION:
> ns1.verteiltesysteme.net. 2698	IN	A	134.91.78.139
> ns1.verteiltesysteme.net. 2698	IN	AAAA	2001:638:501:8efc::139
> ns2.verteiltesysteme.net. 2698	IN	A	134.91.78.141
> ns2.verteiltesysteme.net. 2698	IN	AAAA	2001:638:501:8efc::141
> 
> ;; Query time: 39 msec
> ;; SERVER: 192.168.33.4#53(192.168.33.4)
> ;; WHEN: Fri Feb  7 09:43:58 2014
> ;; MSG SIZE  rcvd: 184
> $ dig sigok.verteiltesysteme.net. a +ad
> 
> ; <<>> DiG 9.8.4-P2 <<>> sigok.verteiltesysteme.net. a +ad
> ;; global options: +cmd
> ;; Got answer:
> ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 34332
> ;; flags: qr rd ra ad; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 0
> 
> ;; QUESTION SECTION:
> ;sigok.verteiltesysteme.net.	IN	A
> 
> ;; ANSWER SECTION:
> sigok.verteiltesysteme.net. 55	IN	A	134.91.78.139
> 
> ;; Query time: 0 msec
> ;; SERVER: 192.168.33.4#53(192.168.33.4)
> ;; WHEN: Fri Feb  7 09:44:03 2014
> ;; MSG SIZE  rcvd: 60




More information about the Dnsmasq-discuss mailing list