[Dnsmasq-discuss] DNSSEC: Answer for local hosts with AD flag set?

Ernst Ahlers ea at ct.de
Wed Sep 30 09:54:42 BST 2015

Hello together,

first off: Many thanks to Simon and all developers for a very useful tool!

I'm using dnsmasq 2.72 with DNSSEC validation on my home server
(Ubuntu 14.04 LTS). During a discussion with a router manufacturer the
topic of answers for local queries for local hosts came up.

As far as I can see dnsmasq answers such queries without validation,
i. e. not setting the AD flag:

ea at swing:~$ dnsmasq --version
Dnsmasq version 2.72  Copyright (c) 2000-2014 Simon Kelley
Compile time options: IPv6 GNU-getopt DBus no-i18n no-IDN DHCP DHCPv6
no-Lua TFTP no-conntrack ipset auth DNSSEC loop-detect
ea at swing:~$ dig +dnssec bsi.bund.de @localhost | grep AUTH
;; flags: qr rd ra ad; QUERY: 1, ANSWER: 2, AUTHORITY: 0, ADDITIONAL: 1
ea at swing:~$ dig +dnssec ap @localhost | grep AUTH
;; flags: qr aa rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 1

Now this is expected since I didn't sign my locally used domain.
Anyway I'd like to be able to mark answers for local hosts within the
local network as validated. Is there an option to enable this?

Best regards


Ernst Ahlers, Redakteur/Editor
PGP-Key-ID: 0x265E 3662, plain text preferred

c't - Magazin für Computertechnik
Karl-Wiechert-Allee 10
D-30625 Hannover, Germany
Phone +49 (0)511 5352 300
Fax +49 (0)511 5352 417

Heise Medien GmbH & Co. KG
Registergericht: Amtsgericht Hannover HRA 26709
Persönlich haftende Gesellschafterin:
Heise Medien Geschäftsführung GmbH
Registergericht: Amtsgericht Hannover, HRB 60405
Geschäftsführer: Ansgar Heise, Dr. Alfons Schräder

Katze 5e

More information about the Dnsmasq-discuss mailing list