[Dnsmasq-discuss] Automatic DNSSEC-signing of ressource records
Jim Gettys
jg at freedesktop.org
Thu Sep 11 18:40:52 BST 2014
On Thu, Sep 11, 2014 at 9:50 AM, Jeroen van der Ham <vdham at uva.nl> wrote:
> Hi,
>
> On 22 Aug 2014, at 16:57, Rene Bartsch <ml at bartschnet.de> wrote:
> > BIND and PowerDNS can sign resource records automatically when run as
> primary DNS with DNSSEC. Does Dnsmasq support signing resource records
> automatically in authoritative mode or are there any plans to support
> automatic zone signing in authoritative mode?
>
> When exactly would you want dnsmasq to run as an authoritative name server?
>
All the time, for my home network. It's my name space, I control it, and
I need to have control over what names are globally/locally visible.
>
> Note that signing records is not as simple as just flipping a switch, the
> key has to be trusted as well. Which means that you have to register a key
> at your registrar.
> If it is for private use, there is no reason to use DNSSEC anyway.
>
Sure there is; other wise any connection to devices on your home network
are vulnerable to MITM attacks. I can't/should not have to trust either my
ISP or registrar with my signing keys. As we've seen over the lsat year,
there are "interesting" people out on the Internet doing bad things these
days.
- Jim
>
> Jeroen.
>
>
> _______________________________________________
> Dnsmasq-discuss mailing list
> Dnsmasq-discuss at lists.thekelleys.org.uk
> http://lists.thekelleys.org.uk/mailman/listinfo/dnsmasq-discuss
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.thekelleys.org.uk/pipermail/dnsmasq-discuss/attachments/20140911/0ae2f422/attachment.html>
More information about the Dnsmasq-discuss
mailing list