[Dnsmasq-discuss] Announce: dnsmasq-2.69rc1
Simon Kelley
simon at thekelleys.org.uk
Mon Mar 24 21:18:03 UTC 2014
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
On 24/03/14 21:13, Toke Høiland-Jørgensen wrote:
> Simon Kelley <simon at thekelleys.org.uk> writes:
>
>> Note that you may want to add --dnssec-check-unsigned to the
>> configuration. That will cause dnsmasq to ensure that unsigned
>> replies are legit by ensuring that there exists secure denial of
>> existence of a DS record somewhere on the path from the DNS
>> root to the domain. That should be added to the example config
>> file before the final release.
>
> It's also missing from the man page in the rc... :)
>
> -Toke
>
No it isn't.
--dnssec-check-unsigned
As a default, dnsmasq does not check that unsigned DNS
replies are legitimate: they are assumed to be valid and
passed on (without the "authentic data" bit set, of
course). This does not protect against an attacker
forging unsigned replies for signed DNS zones, but
it is fast. If this flag is set, dnsmasq will check the
zones of unsigned replies, to ensure that unsigned replies
are allowed in those zones. The cost of this is more
upstream queries and slower performance. See also the
warning about upstream servers in the section on --dnssec
Cheers,
Simon.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.11 (GNU/Linux)
Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/
iEYEARECAAYFAlMwoQsACgkQKPyGmiibgrfiwwCeK43oBI57+cF2I7E4PJjSRIxq
9xAAnjBk5bTeoYiNWc5ZCBvmNdnH204n
=RGFv
-----END PGP SIGNATURE-----
More information about the Dnsmasq-discuss
mailing list