[Dnsmasq-discuss] Announce: dnsmasq-2.69rc1
Dave Taht
dave.taht at gmail.com
Mon Mar 24 18:07:01 UTC 2014
On Mon, Mar 24, 2014 at 10:45 AM, sven falempin <sven.falempin at gmail.com> wrote:
> openbsd 5.4: pkg_add libnettle (ewwwwwwwww)
> [make]
> $ ./src/dnsmasq --version
> Dnsmasq version 2.69rc1 Copyright (c) 2000-2014 Simon Kelley
> Compile time options: IPv6 GNU-getopt no-DBus no-i18n no-IDN DHCP
> DHCPv6 no-Lua TFTP no-conntrack no-ipset auth DNSSEC
>
> Would you please explain why the dependencies with <nettle> , cant we
> use the crypto of openSSH ?
Openssl has a lousy API. Libnettle is much better, and (if staticlly linked)
doesn't add much size to the dnsmasq binary.
>
> Here's the running setup :
> - - - - - - - - - -
> root 31974 0.0 0.1 992 1304 p5 I+ 6:40PM 0:00.01
> dnsmasq -d -C /etc/dnsmasq.conf --log-queries
> # cat /etc/dnsmasq.conf
> domain-needed
> bogus-priv
> # Uncomment these to enable DNSSEC validation and caching:
> # (Requires dnsmasq to be built with DNSSEC option.)
> conf-file=/etc/trust-anchors.conf
> dnssec
> filterwin2k
>
> # cat /etc/trust-anchors.conf
> # The root DNSSEC trust anchor, valid as at 30/01/2014
>
> # Note that this is a DS record (ie a hash of the root Zone Signing Key)
> # If was downloaded from https://data.iana.org/root-anchors/root-anchors.xml
>
> trust-anchor=.,19036,8,2,49AAC11D7B6F6446702E54A1607371607A1A41855200FD2CE1CDDE32F24E8FB5
>
>
>
> - - - - - - - - - -
>
> and a request output :
>
> dnsmasq: query[A] google.fr from 10.0.0.42
> dnsmasq: forwarded google.fr to 8.8.8.8
> dnsmasq: validation result is INSECURE
> dnsmasq: reply google.fr is 173.194.34.183
> dnsmasq: reply google.fr is 173.194.34.191
> dnsmasq: reply google.fr is 173.194.34.184
> dnsmasq: query[AAAA] google.fr from 10.0.0.42
> dnsmasq: forwarded google.fr to 8.8.8.8
> dnsmasq: validation result is INSECURE
> dnsmasq: reply google.fr is 2a00:1450:4009:805::1017
> dnsmasq: query[MX] google.fr from 10.0.0.42
> dnsmasq: forwarded google.fr to 8.8.8.8
> dnsmasq: validation result is INSECURE
> dnsmasq: forwarded thekelleys.org to 8.8.8.8
> dnsmasq: validation result is INSECURE
> dnsmasq: reply thekelleys.org is 216.239.32.21
> dnsmasq: reply thekelleys.org is 216.239.34.21
> dnsmasq: reply thekelleys.org is 216.239.36.21
> dnsmasq: reply thekelleys.org is 216.239.38.21
> dnsmasq: query[AAAA] thekelleys.org from 10.0.0.42
> dnsmasq: forwarded thekelleys.org to 8.8.8.8
> dnsmasq: validation result is INSECURE
> dnsmasq: reply thekelleys.org is NODATA-IPv6
> dnsmasq: query[MX] thekelleys.org from 10.0.0.42
> dnsmasq: forwarded thekelleys.org to 8.8.8.8
> dnsmasq: validation result is INSECURE
>
>
> Best regards,
>
>
> On Sat, Mar 22, 2014 at 4:03 PM, Simon Kelley <simon at thekelleys.org.uk> wrote:
>> It's time to start the release process for 2.69
>>
>> The big new for this release is DNSSEC validation. I've made a first
>> release-candidate, available at
>>
>> http://www.thekelleys.org.uk/dnsmasq/release-candidates/dnsmasq-2.69rc1.tar.gz
>>
>> Please run it if you can, and report any problems. If you can configure
>> DNSSEC and test that, all the better. CHANGELOG attached below.
>>
>>
>> Cheers,
>>
>>
>> Simon.
>>
>> -----------------------------------------------------------------------------
>>
>> Implement dynamic interface discovery on *BSD. This allows
>> the contructor: syntax to be used in dhcp-range for DHCPv6
>> on the BSD platform. Thanks to Matthias Andree for
>> valuable research on how to implement this.
>>
>> Fix infinite loop associated with some --bogus-nxdomain
>> configs. Thanks fogobogo for the bug report.
>>
>> Fix missing RA RDNS option with configuration like
>> --dhcp-option=option6:23,[::] Thanks to Tsachi Kimeldorfer
>> for spotting the problem.
>>
>> Add [fd00::] and [fe80::] as special addresses in DHCPv6
>> options, analogous to [::]. [fd00::] is replaced with the
>> actual ULA of the interface on the machine running
>> dnsmasq, [fe80::] with the link-local address.
>> Thanks to Tsachi Kimeldorfer for championing this.
>>
>> DNSSEC validation and caching. Dnsmasq needs to be
>> compiled with this enabled, with
>>
>> make dnsmasq COPTS=-DHAVE_DNSSEC
>>
>> this add dependencies on the nettle crypto library and the
>> gmp maths library. It's possible to have these linked
>> statically with
>>
>> make dnsmasq COPTS='-DHAVE_DNSSEC -DHAVE_DNSSEC_STATIC'
>>
>> which bloats the dnsmasq binary to over a megabyte, but
>> saves the size of the shared libraries which are five
>> times that size.
>> To enable, DNSSEC, you will need a set of
>> trust-anchors. Now that the TLDs are signed, this can be
>> the keys for the root zone, and for convenience they are
>> included in trust-anchors.conf in the dnsmasq
>> distribution. You should of course check that these are
>> legitimate and up-to-date. So, adding
>>
>> conf-file=/path/to/trust-anchors.conf
>> dnssec
>>
>> to your config is all thats needed to get things
>> working. The upstream nameservers have to be DNSSEC-capable
>> too, of course. Many ISP nameservers aren't, but the
>> Google public nameservers (8.8.8.8 and 8.8.4.4) are.
>> When DNSSEC is configured, dnsmasq validates any queries
>> for domains which are signed. Query results which are
>> bogus are replaced with SERVFAIL replies, and results
>> which are correctly signed have the AD bit set. In
>> addition, and just as importantly, dnsmasq supplies
>> correct DNSSEC information to clients which are doing
>> their own validation, and caches DNSKEY, DS and RRSIG
>> records, which significantly improve the performance of
>> downstream validators. Setting --log-queries will show
>> DNSSEC in action.
>>
>> The development of DNSSEC in dnsmasq was started by
>> Giovanni Bajo, to whom huge thanks are owed. It has been
>> supported by Comcast, whose techfund grant has allowed for
>> an invaluable period of full-time work to get it to
>> a workable state.
>>
>> Add --rev-server. Thanks to Dave Taht for suggesting this.
>>
>> Add --servers-file. Allows dynamic update of upstream
>> servers full access to configuration.
>>
>> Add --local-service. Accept DNS queries only from hosts
>> whose address is on a local subnet, ie a subnet for which
>> an interface exists on the server. This option
>> only has effect if there are no --interface --except-
>> interface, --listen-address or --auth-server options. It is
>> intended to be set as a default on installation, to allow
>> unconfigured installations to be useful but also safe from
>> being used for DNS amplification attacks.
>>
>> Fix crashes in cache_get_cname_target() when dangling CNAMEs
>> encountered. Thanks to Andy and the rt-n56u project for
>> find this and helping to chase it down.
>>
>>
>>
>> _______________________________________________
>> Dnsmasq-discuss mailing list
>> Dnsmasq-discuss at lists.thekelleys.org.uk
>> http://lists.thekelleys.org.uk/mailman/listinfo/dnsmasq-discuss
>
>
>
> --
> ---------------------------------------------------------------------------------------------------------------------
> () ascii ribbon campaign - against html e-mail
> /\
>
> _______________________________________________
> Dnsmasq-discuss mailing list
> Dnsmasq-discuss at lists.thekelleys.org.uk
> http://lists.thekelleys.org.uk/mailman/listinfo/dnsmasq-discuss
--
Dave Täht
Fixing bufferbloat with cerowrt: http://www.teklibre.com/cerowrt/subscribe.html
More information about the Dnsmasq-discuss
mailing list