[Dnsmasq-discuss] Announce: dnsmasq-2.69rc1

sven falempin sven.falempin at gmail.com
Mon Mar 24 17:45:26 UTC 2014 

openbsd 5.4: pkg_add libnettle (ewwwwwwwww)
[make]
$ ./src/dnsmasq --version
Dnsmasq version 2.69rc1  Copyright (c) 2000-2014 Simon Kelley
Compile time options: IPv6 GNU-getopt no-DBus no-i18n no-IDN DHCP
DHCPv6 no-Lua TFTP no-conntrack no-ipset auth DNSSEC

Would you please explain why the dependencies with <nettle> , cant we
use the crypto of openSSH ?

Here's the running setup :
- - - - - - - - - -
root     31974  0.0  0.1   992  1304 p5  I+     6:40PM    0:00.01
dnsmasq -d -C /etc/dnsmasq.conf --log-queries
# cat /etc/dnsmasq.conf
domain-needed
bogus-priv
# Uncomment these to enable DNSSEC validation and caching:
# (Requires dnsmasq to be built with DNSSEC option.)
conf-file=/etc/trust-anchors.conf
dnssec
filterwin2k

# cat /etc/trust-anchors.conf
# The root DNSSEC trust anchor, valid as at 30/01/2014

# Note that this is a DS record (ie a hash of the root Zone Signing Key)
# If was downloaded from https://data.iana.org/root-anchors/root-anchors.xml

trust-anchor=.,19036,8,2,49AAC11D7B6F6446702E54A1607371607A1A41855200FD2CE1CDDE32F24E8FB5



- - - - - - - - - -

and a  request output :

dnsmasq: query[A] google.fr from 10.0.0.42
dnsmasq: forwarded google.fr to 8.8.8.8
dnsmasq: validation result is INSECURE
dnsmasq: reply google.fr is 173.194.34.183
dnsmasq: reply google.fr is 173.194.34.191
dnsmasq: reply google.fr is 173.194.34.184
dnsmasq: query[AAAA] google.fr from 10.0.0.42
dnsmasq: forwarded google.fr to 8.8.8.8
dnsmasq: validation result is INSECURE
dnsmasq: reply google.fr is 2a00:1450:4009:805::1017
dnsmasq: query[MX] google.fr from 10.0.0.42
dnsmasq: forwarded google.fr to 8.8.8.8
dnsmasq: validation result is INSECURE
dnsmasq: forwarded thekelleys.org to 8.8.8.8
dnsmasq: validation result is INSECURE
dnsmasq: reply thekelleys.org is 216.239.32.21
dnsmasq: reply thekelleys.org is 216.239.34.21
dnsmasq: reply thekelleys.org is 216.239.36.21
dnsmasq: reply thekelleys.org is 216.239.38.21
dnsmasq: query[AAAA] thekelleys.org from 10.0.0.42
dnsmasq: forwarded thekelleys.org to 8.8.8.8
dnsmasq: validation result is INSECURE
dnsmasq: reply thekelleys.org is NODATA-IPv6
dnsmasq: query[MX] thekelleys.org from 10.0.0.42
dnsmasq: forwarded thekelleys.org to 8.8.8.8
dnsmasq: validation result is INSECURE


Best regards,


On Sat, Mar 22, 2014 at 4:03 PM, Simon Kelley <simon at thekelleys.org.uk> wrote:
> It's time to start the release process for 2.69
>
> The big new for this release is DNSSEC validation. I've made a first
> release-candidate, available at
>
> http://www.thekelleys.org.uk/dnsmasq/release-candidates/dnsmasq-2.69rc1.tar.gz
>
> Please run it if you can, and report any problems. If you can configure
> DNSSEC and test that, all the better. CHANGELOG attached below.
>
>
> Cheers,
>
>
> Simon.
>
> -----------------------------------------------------------------------------
>
>             Implement dynamic interface discovery on *BSD. This allows
>             the contructor: syntax to be used in dhcp-range for DHCPv6
>             on the BSD platform. Thanks to Matthias Andree for
>             valuable research on how to implement this.
>
>             Fix infinite loop associated with some --bogus-nxdomain
>             configs. Thanks fogobogo for the bug report.
>
>             Fix missing RA RDNS option with configuration like
>             --dhcp-option=option6:23,[::] Thanks to Tsachi Kimeldorfer
>             for spotting the problem.
>
>             Add [fd00::] and [fe80::] as special addresses in DHCPv6
>             options, analogous to [::]. [fd00::] is replaced with the
>             actual ULA of the interface on the machine running
>             dnsmasq, [fe80::] with the link-local address.
>             Thanks to Tsachi Kimeldorfer for championing this.
>
>             DNSSEC validation and caching. Dnsmasq needs to be
>             compiled with this enabled, with
>
>             make dnsmasq COPTS=-DHAVE_DNSSEC
>
>             this add dependencies on the nettle crypto library and the
>             gmp maths library. It's possible to have these linked
>             statically with
>
>             make dnsmasq COPTS='-DHAVE_DNSSEC -DHAVE_DNSSEC_STATIC'
>
>             which bloats the dnsmasq binary to over a megabyte, but
>             saves the size of the shared libraries which are five
>             times that size.
>             To enable, DNSSEC, you will need a set of
>             trust-anchors. Now that the TLDs are signed, this can be
>             the keys for the root zone, and for convenience they are
>             included in trust-anchors.conf in the dnsmasq
>             distribution. You should of course check that these are
>             legitimate and up-to-date. So, adding
>
>             conf-file=/path/to/trust-anchors.conf
>             dnssec
>
>             to your config is all thats needed to get things
>             working. The upstream nameservers have to be DNSSEC-capable
>             too, of course. Many ISP nameservers aren't, but the
>             Google public nameservers (8.8.8.8 and 8.8.4.4) are.
>             When DNSSEC is configured, dnsmasq validates any queries
>             for domains which are signed. Query results which are
>             bogus are replaced with SERVFAIL replies, and results
>             which are correctly signed have the AD bit set. In
>             addition, and just as importantly, dnsmasq supplies
>             correct DNSSEC information to clients which are doing
>             their own validation, and caches DNSKEY, DS and RRSIG
>             records, which significantly improve the performance of
>             downstream validators. Setting --log-queries will show
>             DNSSEC in action.
>
>             The development of DNSSEC in dnsmasq was started by
>             Giovanni Bajo, to whom huge thanks are owed. It has been
>             supported by Comcast, whose techfund grant has allowed for
>             an invaluable period of full-time work to get it to
>             a workable state.
>
>             Add --rev-server. Thanks to Dave Taht for suggesting this.
>
>             Add --servers-file. Allows dynamic update of upstream
>             servers full access to configuration.
>
>             Add --local-service. Accept DNS queries only from hosts
>             whose address is on a local subnet, ie a subnet for which
>             an interface exists on the server. This option
>             only has effect if there are no --interface --except-
>             interface, --listen-address or --auth-server options. It is
>             intended  to be set as a default on installation, to allow
>             unconfigured installations to be useful but also safe from
>             being used for DNS amplification attacks.
>
>             Fix crashes in cache_get_cname_target() when dangling CNAMEs
>             encountered. Thanks to Andy and the rt-n56u project for
>             find this and helping to chase it down.
>
>
>
> _______________________________________________
> Dnsmasq-discuss mailing list
> Dnsmasq-discuss at lists.thekelleys.org.uk
> http://lists.thekelleys.org.uk/mailman/listinfo/dnsmasq-discuss



-- 
---------------------------------------------------------------------------------------------------------------------
() ascii ribbon campaign - against html e-mail
/\

More information about the Dnsmasq-discuss mailing list