[Dnsmasq-discuss] Announce: dnsmasq-2.69rc1
sven falempin
sven.falempin at gmail.com
Mon Mar 24 17:45:26 UTC 2014
openbsd 5.4: pkg_add libnettle (ewwwwwwwww)
[make]
$ ./src/dnsmasq --version
Dnsmasq version 2.69rc1 Copyright (c) 2000-2014 Simon Kelley
Compile time options: IPv6 GNU-getopt no-DBus no-i18n no-IDN DHCP
DHCPv6 no-Lua TFTP no-conntrack no-ipset auth DNSSEC
Would you please explain why the dependencies with <nettle> , cant we
use the crypto of openSSH ?
Here's the running setup :
- - - - - - - - - -
root 31974 0.0 0.1 992 1304 p5 I+ 6:40PM 0:00.01
dnsmasq -d -C /etc/dnsmasq.conf --log-queries
# cat /etc/dnsmasq.conf
domain-needed
bogus-priv
# Uncomment these to enable DNSSEC validation and caching:
# (Requires dnsmasq to be built with DNSSEC option.)
conf-file=/etc/trust-anchors.conf
dnssec
filterwin2k
# cat /etc/trust-anchors.conf
# The root DNSSEC trust anchor, valid as at 30/01/2014
# Note that this is a DS record (ie a hash of the root Zone Signing Key)
# If was downloaded from https://data.iana.org/root-anchors/root-anchors.xml
trust-anchor=.,19036,8,2,49AAC11D7B6F6446702E54A1607371607A1A41855200FD2CE1CDDE32F24E8FB5
- - - - - - - - - -
and a request output :
dnsmasq: query[A] google.fr from 10.0.0.42
dnsmasq: forwarded google.fr to 8.8.8.8
dnsmasq: validation result is INSECURE
dnsmasq: reply google.fr is 173.194.34.183
dnsmasq: reply google.fr is 173.194.34.191
dnsmasq: reply google.fr is 173.194.34.184
dnsmasq: query[AAAA] google.fr from 10.0.0.42
dnsmasq: forwarded google.fr to 8.8.8.8
dnsmasq: validation result is INSECURE
dnsmasq: reply google.fr is 2a00:1450:4009:805::1017
dnsmasq: query[MX] google.fr from 10.0.0.42
dnsmasq: forwarded google.fr to 8.8.8.8
dnsmasq: validation result is INSECURE
dnsmasq: forwarded thekelleys.org to 8.8.8.8
dnsmasq: validation result is INSECURE
dnsmasq: reply thekelleys.org is 216.239.32.21
dnsmasq: reply thekelleys.org is 216.239.34.21
dnsmasq: reply thekelleys.org is 216.239.36.21
dnsmasq: reply thekelleys.org is 216.239.38.21
dnsmasq: query[AAAA] thekelleys.org from 10.0.0.42
dnsmasq: forwarded thekelleys.org to 8.8.8.8
dnsmasq: validation result is INSECURE
dnsmasq: reply thekelleys.org is NODATA-IPv6
dnsmasq: query[MX] thekelleys.org from 10.0.0.42
dnsmasq: forwarded thekelleys.org to 8.8.8.8
dnsmasq: validation result is INSECURE
Best regards,
On Sat, Mar 22, 2014 at 4:03 PM, Simon Kelley <simon at thekelleys.org.uk> wrote:
> It's time to start the release process for 2.69
>
> The big new for this release is DNSSEC validation. I've made a first
> release-candidate, available at
>
> http://www.thekelleys.org.uk/dnsmasq/release-candidates/dnsmasq-2.69rc1.tar.gz
>
> Please run it if you can, and report any problems. If you can configure
> DNSSEC and test that, all the better. CHANGELOG attached below.
>
>
> Cheers,
>
>
> Simon.
>
> -----------------------------------------------------------------------------
>
> Implement dynamic interface discovery on *BSD. This allows
> the contructor: syntax to be used in dhcp-range for DHCPv6
> on the BSD platform. Thanks to Matthias Andree for
> valuable research on how to implement this.
>
> Fix infinite loop associated with some --bogus-nxdomain
> configs. Thanks fogobogo for the bug report.
>
> Fix missing RA RDNS option with configuration like
> --dhcp-option=option6:23,[::] Thanks to Tsachi Kimeldorfer
> for spotting the problem.
>
> Add [fd00::] and [fe80::] as special addresses in DHCPv6
> options, analogous to [::]. [fd00::] is replaced with the
> actual ULA of the interface on the machine running
> dnsmasq, [fe80::] with the link-local address.
> Thanks to Tsachi Kimeldorfer for championing this.
>
> DNSSEC validation and caching. Dnsmasq needs to be
> compiled with this enabled, with
>
> make dnsmasq COPTS=-DHAVE_DNSSEC
>
> this add dependencies on the nettle crypto library and the
> gmp maths library. It's possible to have these linked
> statically with
>
> make dnsmasq COPTS='-DHAVE_DNSSEC -DHAVE_DNSSEC_STATIC'
>
> which bloats the dnsmasq binary to over a megabyte, but
> saves the size of the shared libraries which are five
> times that size.
> To enable, DNSSEC, you will need a set of
> trust-anchors. Now that the TLDs are signed, this can be
> the keys for the root zone, and for convenience they are
> included in trust-anchors.conf in the dnsmasq
> distribution. You should of course check that these are
> legitimate and up-to-date. So, adding
>
> conf-file=/path/to/trust-anchors.conf
> dnssec
>
> to your config is all thats needed to get things
> working. The upstream nameservers have to be DNSSEC-capable
> too, of course. Many ISP nameservers aren't, but the
> Google public nameservers (8.8.8.8 and 8.8.4.4) are.
> When DNSSEC is configured, dnsmasq validates any queries
> for domains which are signed. Query results which are
> bogus are replaced with SERVFAIL replies, and results
> which are correctly signed have the AD bit set. In
> addition, and just as importantly, dnsmasq supplies
> correct DNSSEC information to clients which are doing
> their own validation, and caches DNSKEY, DS and RRSIG
> records, which significantly improve the performance of
> downstream validators. Setting --log-queries will show
> DNSSEC in action.
>
> The development of DNSSEC in dnsmasq was started by
> Giovanni Bajo, to whom huge thanks are owed. It has been
> supported by Comcast, whose techfund grant has allowed for
> an invaluable period of full-time work to get it to
> a workable state.
>
> Add --rev-server. Thanks to Dave Taht for suggesting this.
>
> Add --servers-file. Allows dynamic update of upstream
> servers full access to configuration.
>
> Add --local-service. Accept DNS queries only from hosts
> whose address is on a local subnet, ie a subnet for which
> an interface exists on the server. This option
> only has effect if there are no --interface --except-
> interface, --listen-address or --auth-server options. It is
> intended to be set as a default on installation, to allow
> unconfigured installations to be useful but also safe from
> being used for DNS amplification attacks.
>
> Fix crashes in cache_get_cname_target() when dangling CNAMEs
> encountered. Thanks to Andy and the rt-n56u project for
> find this and helping to chase it down.
>
>
>
> _______________________________________________
> Dnsmasq-discuss mailing list
> Dnsmasq-discuss at lists.thekelleys.org.uk
> http://lists.thekelleys.org.uk/mailman/listinfo/dnsmasq-discuss
--
---------------------------------------------------------------------------------------------------------------------
() ascii ribbon campaign - against html e-mail
/\
More information about the Dnsmasq-discuss
mailing list