[Dnsmasq-discuss] Announce: dnsmasq-2.69rc1
sven falempin
sven.falempin at gmail.com
Mon Mar 24 23:29:43 UTC 2014
On Mon, Mar 24, 2014 at 5:05 PM, Simon Kelley <simon at thekelleys.org.uk> wrote:
> On 24/03/14 17:45, sven falempin wrote:
>> openbsd 5.4: pkg_add libnettle (ewwwwwwwww)
>> [make]
>> $ ./src/dnsmasq --version
>> Dnsmasq version 2.69rc1 Copyright (c) 2000-2014 Simon Kelley
>> Compile time options: IPv6 GNU-getopt no-DBus no-i18n no-IDN DHCP
>> DHCPv6 no-Lua TFTP no-conntrack no-ipset auth DNSSEC
>>
>> Would you please explain why the dependencies with <nettle> , cant we
>> use the crypto of openSSH ?
>
> To be able to use openSSL, the license for dnsmasq would have to be changed:
>
> http://en.wikipedia.org/wiki/OpenSSL#Licensing
>
>
>>
>> Here's the running setup :
>> - - - - - - - - - -
>> root 31974 0.0 0.1 992 1304 p5 I+ 6:40PM 0:00.01
>> dnsmasq -d -C /etc/dnsmasq.conf --log-queries
>> # cat /etc/dnsmasq.conf
>> domain-needed
>> bogus-priv
>> # Uncomment these to enable DNSSEC validation and caching:
>> # (Requires dnsmasq to be built with DNSSEC option.)
>> conf-file=/etc/trust-anchors.conf
>> dnssec
>> filterwin2k
>>
>> # cat /etc/trust-anchors.conf
>> # The root DNSSEC trust anchor, valid as at 30/01/2014
>>
>> # Note that this is a DS record (ie a hash of the root Zone Signing Key)
>> # If was downloaded from https://data.iana.org/root-anchors/root-anchors.xml
>>
>> trust-anchor=.,19036,8,2,49AAC11D7B6F6446702E54A1607371607A1A41855200FD2CE1CDDE32F24E8FB5
>>
>>
>>
>> - - - - - - - - - -
>>
>> and a request output :
>>
>> dnsmasq: query[A] google.fr from 10.0.0.42
>> dnsmasq: forwarded google.fr to 8.8.8.8
>> dnsmasq: validation result is INSECURE
>> dnsmasq: reply google.fr is 173.194.34.183
>> dnsmasq: reply google.fr is 173.194.34.191
>> dnsmasq: reply google.fr is 173.194.34.184
>> dnsmasq: query[AAAA] google.fr from 10.0.0.42
>> dnsmasq: forwarded google.fr to 8.8.8.8
>> dnsmasq: validation result is INSECURE
>> dnsmasq: reply google.fr is 2a00:1450:4009:805::1017
>> dnsmasq: query[MX] google.fr from 10.0.0.42
>> dnsmasq: forwarded google.fr to 8.8.8.8
>> dnsmasq: validation result is INSECURE
>> dnsmasq: forwarded thekelleys.org to 8.8.8.8
>> dnsmasq: validation result is INSECURE
>> dnsmasq: reply thekelleys.org is 216.239.32.21
>> dnsmasq: reply thekelleys.org is 216.239.34.21
>> dnsmasq: reply thekelleys.org is 216.239.36.21
>> dnsmasq: reply thekelleys.org is 216.239.38.21
>> dnsmasq: query[AAAA] thekelleys.org from 10.0.0.42
>> dnsmasq: forwarded thekelleys.org to 8.8.8.8
>> dnsmasq: validation result is INSECURE
>> dnsmasq: reply thekelleys.org is NODATA-IPv6
>> dnsmasq: query[MX] thekelleys.org from 10.0.0.42
>> dnsmasq: forwarded thekelleys.org to 8.8.8.8
>> dnsmasq: validation result is INSECURE
>>
>>
>
> That's what I would expect. The google domains are not, in general,
> signed (neither are most others). My domain is in fact
> thekelleys.org.uk, but that's not signed either.
>
> Try ietf.org or paypal.com or isc.org
>
>
> Note that you may want to add --dnssec-check-unsigned to the
> configuration. That will cause dnsmasq to ensure that unsigned replies
> are legit by ensuring that there exists secure denial of existence of a
> DS record somewhere on the path from the DNS root to the domain. That
> should be added to the example config file before the final release.
>
>
> Cheers,
>
>
> Simon.
>
>
>
>
Yes it logs better when i launch with --dnssec-check-unsigned
can i put these in the configuration file like bogus-priv
:
dnsmasq: query[A] ietf.org from 10.0.0.42
dnsmasq: forwarded ietf.org to 8.8.8.8
dnsmasq: dnssec-query[DNSKEY] ietf.org to 8.8.8.8
dnsmasq: dnssec-query[DS] ietf.org to 8.8.8.8
dnsmasq: dnssec-query[DNSKEY] org to 8.8.8.8
dnsmasq: dnssec-query[DS] org to 8.8.8.8
dnsmasq: dnssec-query[DNSKEY] . to 8.8.8.8
dnsmasq: reply . is DNSKEY keytag 40926
dnsmasq: reply . is DNSKEY keytag 33655
dnsmasq: reply . is DNSKEY keytag 19036
dnsmasq: reply org is DS keytag 21366
dnsmasq: reply org is DS keytag 21366
dnsmasq: reply org is DNSKEY keytag 9795
dnsmasq: reply org is DNSKEY keytag 21366
dnsmasq: reply org is DNSKEY keytag 1829
dnsmasq: reply org is DNSKEY keytag 28794
dnsmasq: reply ietf.org is DS keytag 45586
dnsmasq: reply ietf.org is DS keytag 45586
dnsmasq: reply ietf.org is DNSKEY keytag 40452
dnsmasq: reply ietf.org is DNSKEY keytag 45586
dnsmasq: validation result is SECURE
dnsmasq: reply ietf.org is 4.31.198.44
dnsmasq: query[AAAA] ietf.org from 10.0.0.42
dnsmasq: forwarded ietf.org to 8.8.8.8
dnsmasq: validation result is SECURE
dnsmasq: reply ietf.org is 2001:1900:3001:11::2c
dnsmasq: query[MX] ietf.org from 10.0.0.42
dnsmasq: forwarded ietf.org to 8.8.8.8
dnsmasq: validation result is SECURE
dnsmasq: query[A] paypal.com from 10.0.0.42
dnsmasq: forwarded paypal.com to 8.8.8.8
dnsmasq: dnssec-query[DNSKEY] paypal.com to 8.8.8.8
dnsmasq: dnssec-query[DS] paypal.com to 8.8.8.8
dnsmasq: dnssec-query[DNSKEY] com to 8.8.8.8
dnsmasq: dnssec-query[DS] com to 8.8.8.8
dnsmasq: reply com is DS keytag 30909
dnsmasq: reply com is DNSKEY keytag 45932
dnsmasq: reply com is DNSKEY keytag 30909
dnsmasq: reply paypal.com is DS keytag 21037
dnsmasq: reply paypal.com is DNSKEY keytag 21037
dnsmasq: reply paypal.com is DNSKEY keytag 11811
dnsmasq: validation result is SECURE
dnsmasq: reply paypal.com is 66.211.169.3
dnsmasq: reply paypal.com is 66.211.169.66
dnsmasq: query[AAAA] paypal.com from 10.0.0.42
dnsmasq: forwarded paypal.com to 8.8.8.8
dnsmasq: validation result is SECURE
dnsmasq: reply paypal.com is NODATA-IPv6
dnsmasq: query[MX] paypal.com from 10.0.0.42
dnsmasq: forwarded paypal.com to 8.8.8.8
dnsmasq: validation result is SECURE
--
---------------------------------------------------------------------------------------------------------------------
() ascii ribbon campaign - against html e-mail
/\
More information about the Dnsmasq-discuss
mailing list