[Dnsmasq-discuss] dnssec-check-unsigned failure with v2.73rc9

Stéphane Guedon stephane at 22decembre.eu
Sun Jul 19 06:30:01 BST 2015


Le dimanche 14 juin 2015 19:44:14, vous avez écrit :
> Hi,
> 
> On Sun, Jun 14, 2015 at 9:06 AM, Stéphane Guedon <stephane at 22decembre.eu>
> 
> wrote:
> > Le vendredi 12 juin 2015, 13:16:09 Maciej Soltysiak a écrit :
> > > A user on my service, who has dnssec-check-unsigned enabled gets an
> > > unsigned response from a signed zone and the intended reaction of
> > > dnsmasq
> > > kicks in.
> > > 
> > > Not a bug then. Is my understanding correct?
> > 
> > As far as I understand, I have the same issue (except that dnsmasq itself
> > is
> > serving the non signed zone and unbound the signed) !
> > 
> > To solve that, I propose to make the unsigned zone on another domain or
> > zone
> > than the signed one.
> > 
> > server.domain.org is signed and the public face of your server.
> > 
> > server.intern.domain.org is unsigned. Your users can then use this
> > address,
> > and the dns can still have different answer depending where they are.
> > 
> > Do you understand me ?
> > 
> > Do you think it is a good idea ? (I am thinking of using it for my case).
> 
> Yes, I understand, I think it would work and it's a clever workaround for
> the issue, however in my case it does not help to maintain the end goal
> which was to provide authenticated response to that domain so that it is
> always trustworthy.
> 
> That actually is becoming a DNSSEC question. Is there a way to provide
> split-horizon answers on signed zones? Can one name have 2 different valid
> answers and RRSIGs? perhaps if the signature could be for a name/ttl pair,
> not just the name and have different ttls on those names? Dunno.
> 
> Perhaps me trying to use dns records to test whether the responses are
> coming over dnscrypt or not is flawed in nature.
> 
> Thanks anyway,
> Maciej

Actually, it works at first glance (basic resolution and connectivity works), 
but it fails fast : when you have to work on your website that is hosted on 
your home server, nothing works anymore !

So I am returning to my previous setup before wondering what I should do.

I am going to write an article about this and all the workarounds that have 
been tried. Maybe it will then give me an idea on the solution.

-- 
The file signature.asc is not attached to be read by you. It's a digital 
signature by GPG.  
If you want to know why I use it, and why you should as well, you can read my 
article there:

http://www.22decembre.eu/2015/03/21/introduction-en/
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 801 bytes
Desc: This is a digitally signed message part.
URL: <http://lists.thekelleys.org.uk/pipermail/dnsmasq-discuss/attachments/20150719/821df0cf/attachment.sig>


More information about the Dnsmasq-discuss mailing list