[Dnsmasq-discuss] DNSSEC passtrough

[Petr Menšík]

Hi Simon and others!

I am thinking about dnssec support of dnsmasq. Is it possible to enable
dnssec support, but disable dnssec validation at the same time? Bind for
example have options dnssec-enable and dnssec-validation. There is
option proxy-dnssec, but I think it only copies AD flag in replies. The
flag itself is worthless I think.

I have one issue with dnsmasq in RHEL. We support special FIPS 140-2
mode with certified crypto libraries. gnutls is certified but nettle
alone is not. Current versions in RHEL have disabled DNSSEC support. In
Fedora it is enabled. Using gnutls for all crypto operations would make
it trusted also.

Thing is, we would recommend using certified DNSSEC resolver behind
dnsmasq. Problem is that without dnssec support, any server using
dnsmasq as caching proxy is not able to validate a single thing. This is
often case of libvirt.

Libvirt uses dnsmasq for DNS and DHCP. Any virtual machine under it is
configured dynamically. But it is impossible to use validating resolver
in such machine, like unbound. We use it together with dnssec-trigger to
automatically configure from DHCP. Just try dig +dnssec in any libvirt
machine. No signatures are included. Secondary problem is that libvirt
has currently no was to enable dnssec in its configuration. But that is
not to solve here.

Is there reason why validation and passing do bit and including
signatures in replies is bundled together? I think dnssec support should
be enabled by default today. But because dnssec validation can
introduce, require cryptography support and configuration of trusted
anchors, it is not so wise to enable it by default.

Would be patch splitting support for DNSSEC queries and separate
validation welcome? What do you think about turning dnssec queries
support on by default, so dig +dnssec would pass signatures without
additional configuration?

-- 
Petr Menšík
Software Engineer
Red Hat, http://www.redhat.com/
email: pemensik at redhat.com  PGP: 65C6C973