[Dnsmasq-discuss] Automatic DNSSEC-signing of ressource records

Rene Bartsch ml at bartschnet.de
Fri Sep 12 12:44:38 BST 2014

Am 2014-09-12 10:17, schrieb Jeroen van der Ham:

> Ah you mean you want to use DNSmasq to do the automatic translation
> from DHCP leases to DNS, and then automatically sign them. I would
> still advise you to use a secondary nameserver, unless you’re not
> running any mission-critical systems (in which case I think this is
> somewhat over the top)

You need secondary nameservers, of course. Secondary nameservers are 
cheap or even for free. When I studied I was in a group of students each 
running a root server as primary nameserver for his domain(s) and we 
shared the root servers as secondary nameservers with each other.

> What I have trouble with though is that DNSSEC is not yet at a stage
> where it is easy to use. It certainly is still not easy to
> troubleshoot and pinpoint problems. This goes beyond having an easy
> interface to the DNS system itself, or automatic signing of records.

I'm running my three private domains with hosted DNSSEC without any 
problem. The only drawback is my registrar does not provide DynDNS and 
lacks some resource records - and Google Public DNS has a 
wildcard-resolution bug. The main problem is registrars usually lack 
important features for consumers, may mit be DNSSEC, DynDNS for dynamic 
IPs, IPv6 glue-records, some resource records or a usable interface for 

My dream is a consumer router at which the consumer just enters his 
public domain name(s) and the hostnames/IP addresses of Dnsmasq 
instances he wants to be secondary nameservers (and  provide secondary 
nameserver service for). The router would just display the secondary 
nameserver hostnames/Glue-Records and the Zone-Signing-Key or DS-Key to 
be sent to the registry via the registrar. As the Key-Signing-Keys are 
kept on the router you just have to check if the registry publishes the 
correct ZSK/DS-record to be sure your zone has not been tampered with. 
The router can even scan the hosts in the LAN for services (e.g. TLS) 
and add records automagically (e.g. TLSA-RRs for DANE). In expert mode 
additional records could be added manually.

Best regards,


More information about the Dnsmasq-discuss mailing list