[Dnsmasq-discuss] Feature request: allow to enable/disable --dnssec-check-unsigned per upstream server
Simon Kelley
simon at thekelleys.org.uk
Thu Jan 14 20:25:32 GMT 2016
I've got the code I described into dnsmasq.
server=/domain/<ip-address>
now disables DNSSEC for queries sent to that server, unless there's
a corresponding
trust-anchor=domain,.......
That all seems to work well, I can delegate to opennic at the TLD-level,
rather than the root level.
I realised that there's a fundamental problem that all DNSSEC queries to
validate a query get send to the same server as the original query. That
would break, eg a domain under .free which held a CNAME to another TLD.
Fixing that needs some long-overdue code re-writing, which is now in
progress.
Cheers,
Simon.
On 12/01/16 10:16, Andre Heider wrote:
> On Mon, Jan 11, 2016 at 10:27 PM, Simon Kelley <simon at thekelleys.org.uk> wrote:
>> dig @5.9.49.12 dnskey . | dnssec-dsfromkey -2 -f - .
>>
>> The -2 flag tells dsfromkey to make the SHA256 hash
>>
>> . IN DS 7372 8 2
>> 14A2B8CAF58BFAAE0BD7C257488A341FCC542F9F88F0B678D620324CE7B55285
>>
>>
>> A quick re-format into dnsmasq config format gives us
>>
>> trust-anchor=.,7372,8,2,14A2B8CAF58BFAAE0BD7C257488A341FCC542F9F88F0B678
>> D620324CE7B55285
>
> I knew it was just a hash, but I was too lazy to look up how to get it
> into a compatible format :)
> dnssec-dsfromkey is the solution, thanks for that info.
>
> Thanks,
> Andre
>
More information about the Dnsmasq-discuss
mailing list