[Dnsmasq-discuss] dnssec-check-unsigned failure with v2.73rc9

Stéphane Guedon stephane at 22decembre.eu
Sat Jul 18 17:11:28 BST 2015

Le dimanche 14 juin 2015 19:44:14, vous avez écrit :
> Hi,
> On Sun, Jun 14, 2015 at 9:06 AM, Stéphane Guedon <stephane at 22decembre.eu>
> wrote:
> > Le vendredi 12 juin 2015, 13:16:09 Maciej Soltysiak a écrit :
> > > A user on my service, who has dnssec-check-unsigned enabled gets an
> > > unsigned response from a signed zone and the intended reaction of
> > > dnsmasq
> > > kicks in.
> > > 
> > > Not a bug then. Is my understanding correct?
> > 
> > As far as I understand, I have the same issue (except that dnsmasq itself
> > is
> > serving the non signed zone and unbound the signed) !
> > 
> > To solve that, I propose to make the unsigned zone on another domain or
> > zone
> > than the signed one.
> > 
> > server.domain.org is signed and the public face of your server.
> > 
> > server.intern.domain.org is unsigned. Your users can then use this
> > address,
> > and the dns can still have different answer depending where they are.
> > 
> > Do you understand me ?
> > 
> > Do you think it is a good idea ? (I am thinking of using it for my case).
> Yes, I understand, I think it would work and it's a clever workaround for
> the issue, however in my case it does not help to maintain the end goal
> which was to provide authenticated response to that domain so that it is
> always trustworthy.
> That actually is becoming a DNSSEC question. Is there a way to provide
> split-horizon answers on signed zones? Can one name have 2 different valid
> answers and RRSIGs? perhaps if the signature could be for a name/ttl pair,
> not just the name and have different ttls on those names? Dunno.
> Perhaps me trying to use dns records to test whether the responses are
> coming over dnscrypt or not is flawed in nature.
> Thanks anyway,
> Maciej

Actually, it works at first glance (basic resolution and connectivity works), 
but it fails fast : when you have to work on your website that is hosted on 
your home server, nothing works anymore !

So I am returning to my previous setup before wondering what I should do.

I am going to write an article about this and all the workarounds that have 
been tried. Maybe it will then give me an idea on the solution.

The file signature.asc is not attached to be read by you. It's a digital 
signature by GPG.  
If you want to know why I use it, and why you should as well, you can read my 
article there:

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 801 bytes
Desc: This is a digitally signed message part.
URL: <http://lists.thekelleys.org.uk/pipermail/dnsmasq-discuss/attachments/20150718/a7f080ec/attachment.sig>

More information about the Dnsmasq-discuss mailing list