[Dnsmasq-discuss] Feature request: allow to enable/disable --dnssec-check-unsigned per upstream server

Andre Heider a.heider at gmail.com
Thu Jan 14 21:32:46 GMT 2016


Hi,

On Thu, Jan 14, 2016 at 9:25 PM, Simon Kelley <simon at thekelleys.org.uk> wrote:
> I've got the code I described into dnsmasq.
>
> server=/domain/<ip-address>
>
> now disables DNSSEC for queries sent to that server, unless there's
> a corresponding
>
> trust-anchor=domain,.......
>
> That all seems to work well, I can delegate to opennic at the TLD-level,
> rather than the root level.

neat, thanks for the quick solution!

I just gave it a quick spin:
started, version 2.76test5 cachesize 150
...
using nameserver 5.9.49.12#53 for domain free
using nameserver 5.9.49.12#53 for domain bit (no DNSSEC)
using nameserver x.x.x.x#9053 for domain onion (no DNSSEC)
using nameserver y.y.y.y#53

with reenabled dnsseccheckunsigned it now works as advertised :)

> I realised that there's a fundamental problem that all DNSSEC queries to
> validate a query get send to the same server as the original query. That
> would break, eg a domain under .free which held a CNAME to another TLD.
> Fixing that needs some long-overdue code re-writing, which is now in
> progress.

Sorry for exposing that :P

Thanks,
Andre



More information about the Dnsmasq-discuss mailing list