[Dnsmasq-discuss] Feature request: allow to enable/disable --dnssec-check-unsigned per upstream server

Simon Kelley simon at thekelleys.org.uk
Sat Sep 6 17:55:18 BST 2014


On 29/08/14 08:59, Rene Bartsch wrote:
> Hi,
> 
> I'm running Dnsmasq with DNSSEC-validation and "--dnssec-check-unsigned"
> enabled. "server=/onion/127.0.0.1#9053" forwards .onion-queries to the
> TOR-resolver. Unfortunately the TOR-resolver provides A-RRs only. So
> resolving .onion-domains fails when "--dnssec-check-unsigned" is enabled.
> 
> Please extend "--dnssec-check-unsigned" with an option for the server
> address and port.
> 
> "dnssec-check-unsigned" would enable for all upstream servers.
> 
> "dnssec-check-unsigned=127.0.0.1#9053" would enable only for
> 127.0.0.1#9053.
> 

This ties in with something I was considering, which is to be able to
disable DNSSEC checking for particular upstream servers. I guess it's
better to associate it with the the server than enable-dnssec or
dnssec-check-unsigned, so we could have

server-no-dnssec=/onion/127.0.0.1#9053

or

server-no-dnssec-unsigned=/onion/127.0.0.1#9053

What does the team think?

Cheers,

Simon.




More information about the Dnsmasq-discuss mailing list