[Dnsmasq-discuss] Fwd: DS requests should be forwarded to the higher domain

Simon Kelley simon at thekelleys.org.uk
Thu Sep 11 22:15:08 BST 2014


On 10/09/14 22:50, Filippo Valsorda wrote:
> On Wed, Sep 10, 2014 at 2:05 PM, Simon Kelley <simon at thekelleys.org.uk> wrote:
>> On 10/09/14 00:34, Filippo Valsorda wrote:
>>> DS records are a ugly special case in DNSSEC, and they are kept not by
>>> the zone NS but by the one on top of it.
>>>
>>> So when faced with a config like
>>>
>>> server=8.8.8.8
>>> server=/ietf.org/64.170.98.2
>>>
>>> a A request for ietf.org should go to 64.170.98.2 but a DS request for
>>> ietf.org should go to 8.8.8.8. Otherwise it won't be possible to
>>> verify a DNSSEC chain.
>>>
>>> Attached is a patch that works but is horrible. Don't merge it.
>>>
>>> Please cc me in replies. Thanks for the project!
>>>
>>
>> That's a very good point. I'm not sure that this has ever been a problem
>> in reality, because the server given in eg
>>
>> server=/ietf.org/64.170.98.2
>>
>> has to be a recursive server, so it should still be able to answer the
>> query for the DS record, by recursing the query to the next zone up.
> 
> Why does it have to be a recursive server? I'm really happy using
> dnsmasq to bind a domain to its authoritative server. Like a dynamic
> /etc/hosts file. The only problem I encountered doing this is with the
> DS records, but it's the spec fault ^^

I guess it doesn't have to be a recursive server, but it nearly always
is, which is important when you have to worry about how big a problem
this is.

Is your solution a complete one? What happens to a query for (eg)

DS www.ietf.org


Cheers,


Simon.



>> In fact, my guess is that very, very, few people have ever tried to do
>> DNSSEC with servers for particular zones. It's usually used to handle
>> private domains that aren't in the "global" DNS, - and very few of those
>> will be DNSSEC enabled.
>>
>>
>> Cheers,
>>
>> Simon.
>>
> 
> I second that it's more of a development setup, but I still think this
> is a bug :)
> 




More information about the Dnsmasq-discuss mailing list