[Dnsmasq-discuss] Announce: dnsmasq-2.69rc1

Simon Kelley simon at thekelleys.org.uk
Mon Mar 24 21:05:24 UTC 2014


On 24/03/14 17:45, sven falempin wrote:
> openbsd 5.4: pkg_add libnettle (ewwwwwwwww)
> [make]
> $ ./src/dnsmasq --version
> Dnsmasq version 2.69rc1  Copyright (c) 2000-2014 Simon Kelley
> Compile time options: IPv6 GNU-getopt no-DBus no-i18n no-IDN DHCP
> DHCPv6 no-Lua TFTP no-conntrack no-ipset auth DNSSEC
> 
> Would you please explain why the dependencies with <nettle> , cant we
> use the crypto of openSSH ?

To be able to use openSSL, the license for dnsmasq would have to be changed:

http://en.wikipedia.org/wiki/OpenSSL#Licensing


> 
> Here's the running setup :
> - - - - - - - - - -
> root     31974  0.0  0.1   992  1304 p5  I+     6:40PM    0:00.01
> dnsmasq -d -C /etc/dnsmasq.conf --log-queries
> # cat /etc/dnsmasq.conf
> domain-needed
> bogus-priv
> # Uncomment these to enable DNSSEC validation and caching:
> # (Requires dnsmasq to be built with DNSSEC option.)
> conf-file=/etc/trust-anchors.conf
> dnssec
> filterwin2k
> 
> # cat /etc/trust-anchors.conf
> # The root DNSSEC trust anchor, valid as at 30/01/2014
> 
> # Note that this is a DS record (ie a hash of the root Zone Signing Key)
> # If was downloaded from https://data.iana.org/root-anchors/root-anchors.xml
> 
> trust-anchor=.,19036,8,2,49AAC11D7B6F6446702E54A1607371607A1A41855200FD2CE1CDDE32F24E8FB5
> 
> 
> 
> - - - - - - - - - -
> 
> and a  request output :
> 
> dnsmasq: query[A] google.fr from 10.0.0.42
> dnsmasq: forwarded google.fr to 8.8.8.8
> dnsmasq: validation result is INSECURE
> dnsmasq: reply google.fr is 173.194.34.183
> dnsmasq: reply google.fr is 173.194.34.191
> dnsmasq: reply google.fr is 173.194.34.184
> dnsmasq: query[AAAA] google.fr from 10.0.0.42
> dnsmasq: forwarded google.fr to 8.8.8.8
> dnsmasq: validation result is INSECURE
> dnsmasq: reply google.fr is 2a00:1450:4009:805::1017
> dnsmasq: query[MX] google.fr from 10.0.0.42
> dnsmasq: forwarded google.fr to 8.8.8.8
> dnsmasq: validation result is INSECURE
> dnsmasq: forwarded thekelleys.org to 8.8.8.8
> dnsmasq: validation result is INSECURE
> dnsmasq: reply thekelleys.org is 216.239.32.21
> dnsmasq: reply thekelleys.org is 216.239.34.21
> dnsmasq: reply thekelleys.org is 216.239.36.21
> dnsmasq: reply thekelleys.org is 216.239.38.21
> dnsmasq: query[AAAA] thekelleys.org from 10.0.0.42
> dnsmasq: forwarded thekelleys.org to 8.8.8.8
> dnsmasq: validation result is INSECURE
> dnsmasq: reply thekelleys.org is NODATA-IPv6
> dnsmasq: query[MX] thekelleys.org from 10.0.0.42
> dnsmasq: forwarded thekelleys.org to 8.8.8.8
> dnsmasq: validation result is INSECURE
> 
> 

That's what I would expect. The google domains are not, in general,
signed (neither are most others). My domain is in fact
thekelleys.org.uk, but that's not signed either.

Try ietf.org or paypal.com or isc.org


Note that you may want to add --dnssec-check-unsigned to the
configuration. That will cause dnsmasq to ensure that unsigned replies
are legit by ensuring that there exists secure denial of existence of a
DS record somewhere on the path from the DNS root to the domain. That
should be added to the example config file before the final release.


Cheers,


Simon.







More information about the Dnsmasq-discuss mailing list