[Dnsmasq-discuss] Feature request: allow to enable/disable --dnssec-check-unsigned per upstream server
Simon Kelley
simon at thekelleys.org.uk
Sat Sep 6 17:55:18 BST 2014
On 29/08/14 08:59, Rene Bartsch wrote:
> Hi,
>
> I'm running Dnsmasq with DNSSEC-validation and "--dnssec-check-unsigned"
> enabled. "server=/onion/127.0.0.1#9053" forwards .onion-queries to the
> TOR-resolver. Unfortunately the TOR-resolver provides A-RRs only. So
> resolving .onion-domains fails when "--dnssec-check-unsigned" is enabled.
>
> Please extend "--dnssec-check-unsigned" with an option for the server
> address and port.
>
> "dnssec-check-unsigned" would enable for all upstream servers.
>
> "dnssec-check-unsigned=127.0.0.1#9053" would enable only for
> 127.0.0.1#9053.
>
This ties in with something I was considering, which is to be able to
disable DNSSEC checking for particular upstream servers. I guess it's
better to associate it with the the server than enable-dnssec or
dnssec-check-unsigned, so we could have
server-no-dnssec=/onion/127.0.0.1#9053
or
server-no-dnssec-unsigned=/onion/127.0.0.1#9053
What does the team think?
Cheers,
Simon.
More information about the Dnsmasq-discuss
mailing list