[Dnsmasq-discuss] dnssec-check-unsigned failure with v2.73rc9

Maciej Soltysiak maciej at soltysiak.com
Sun Jun 14 18:46:56 BST 2015


Hi,

On Sun, Jun 14, 2015 at 9:06 AM, Stéphane Guedon <stephane at 22decembre.eu>
wrote:

> Le vendredi 12 juin 2015, 13:16:09 Maciej Soltysiak a écrit :
> > A user on my service, who has dnssec-check-unsigned enabled gets an
> > unsigned response from a signed zone and the intended reaction of dnsmasq
> > kicks in.
> >
> > Not a bug then. Is my understanding correct?
>
> As far as I understand, I have the same issue (except that dnsmasq itself
> is
> serving the non signed zone and unbound the signed) !
>
> To solve that, I propose to make the unsigned zone on another domain or
> zone
> than the signed one.
>
> server.domain.org is signed and the public face of your server.
>
> server.intern.domain.org is unsigned. Your users can then use this
> address,
> and the dns can still have different answer depending where they are.
>
> Do you understand me ?
>
> Do you think it is a good idea ? (I am thinking of using it for my case).

Yes, I understand, I think it would work and it's a clever workaround for
the issue, however in my case it does not help to maintain the end goal
which was to provide authenticated response to that domain so that it is
always trustworthy.

That actually is becoming a DNSSEC question. Is there a way to provide
split-horizon answers on signed zones? Can one name have 2 different valid
answers and RRSIGs? perhaps if the signature could be for a name/ttl pair,
not just the name and have different ttls on those names? Dunno.

Perhaps me trying to use dns records to test whether the responses are
coming over dnscrypt or not is flawed in nature.

Thanks anyway,
Maciej
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.thekelleys.org.uk/pipermail/dnsmasq-discuss/attachments/20150614/be30ca3e/attachment.html>


More information about the Dnsmasq-discuss mailing list