[Dnsmasq-discuss] Insecure DS reply received, do upstream DNS servers support DNSSEC?
Tore Anderson
tore at fud.no
Fri Aug 30 20:11:07 BST 2019
* Simon Kelley
> I just pushed
>
> http://thekelleys.org.uk/gitweb/?p=dnsmasq.git;a=commit;h=fef2f1c75eba56b7355cbe729e4362474d558aa4
>
> Which makes the following changes:
>
> 1) No longer fail to validate a reply proving that a DS record doesn't
> exist if RRs in the auth section other the the NSEC/NSEC3 records needed
> for non-existence proof are not signed.
>
> 2) Use the TTL of the NSEC record when caching the non-existence of DS
> records.
>
> I'm currently testing this live here, and I'd appreciate it if you could
> give it a whirl too.
Excellent. I've been running it for a few hours now, no problems whatsoever so far.
In comparison, with HEAD^1, I could hardly use my computer for anything Internet-related.
So this is very promising indeed. Thanks!
Tore
More information about the Dnsmasq-discuss
mailing list