[Dnsmasq-discuss] DNSSEC: Answer for local hosts with AD flag set?
Stéphane Guedon
stephane at 22decembre.eu
Fri Oct 2 17:46:40 BST 2015
Le jeudi 1 octobre 2015, 08:57:14 Ernst Ahlers a écrit :
> > I guess the logic is that dnsmasq is the authoritative source for
> > that data, so it doesn't need to validate it to know that it's
> > real.
>
> Right, but obviously the solution is not as simple as setting AD.
>
> As for the background (sorry, since English is not my native tongue
> I'm having trouble being verbose):
>
> A lot people around here (me included) use a well-known router brand
> (Fritz!Boxen) which employs dnsmasq. The manufacturer (AVM) offers a
> free dyndns service (myfritz.net). It not only answers for both
> address types but for IPv6 also allows subdomains for hosts within
> your dyndns domain.
>
> This is practical for accessing services like IMAP or Webdav(s) from
> anywhere via the same domain name. Now asking the router for a host
> from the local network will return the *external* IPv4 address and
> the global IPv6 address.
>
> With IPv4 connections from the local network this obviously incurs a
> performance penalty since the packets will have to traverse the
> router's NAT. This might not be an issue with IMAP but definitely
> with NAS access via Webdav(s) or SFTP.
>
> I submitted the idea of returning local IPv4 addresses for internal
> queries to AVM. Their reply was that this will fail if they'd enable
> DNSSEC for their dyndns service in the future. My knee-jerk reply
> was to let dnsmasq set the AD flag for this kind of query. But as
> per your explanations this is only half a solution.
>
> Do you think there's any chance to solve this correctly without
> switching from dnsmasq to Unbound or the like?
>
> Best regards
>
> Ernst
>
Allow myself to be in.
The interest is also that a domain is signed and used publicly (www, mx, imap
with public internet addresses signed...) but that when you are in your
network, the local dns (dnsmasq) gives your internal (nat, local) addresses
instead, which are not signed.
There, you will have conflicts between the two adresses.
Allowing dnsmasq to sign (or give a proof of authenticity) would solve this
problem, yet I am sure it is not easy.
--
The file signature.asc is not attached to be read by you. It's a digital
signature by GPG.
If you want to know why I use it, and why you should as well, you can read my
article there:
http://www.22decembre.eu/2015/03/21/introduction-en/
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 801 bytes
Desc: This is a digitally signed message part.
URL: <http://lists.thekelleys.org.uk/pipermail/dnsmasq-discuss/attachments/20151002/108bbf7a/attachment.sig>
More information about the Dnsmasq-discuss
mailing list