# dnsmasq Live DNSSEC PoC Harness

This directory contains a disposable local target for the DNSSEC findings.

It builds dnsmasq with `HAVE_DNSSEC`, starts a local malicious upstream DNS server on `127.0.0.1:5300`, starts dnsmasq on `127.0.0.1:5353`, and drives queries with `dig`.

## Requirements

- `make`
- `cc`
- `pkg-config`
- nettle/hogweed development libraries
- GMP development library
- `dnssec-keygen` from BIND tools
- `dig`

On this macOS test machine those are present through Homebrew/BIND tools.

## Run

```sh
./run-live-poc.sh dnssec2
./run-live-poc.sh dnssec2-noasan
./run-live-poc.sh dnssec2-both
./run-live-poc.sh dnssec1
```

`dnssec2` targets the malformed RRSIG signer-name/RDATA-bound bug with an ASAN build.

`dnssec2-noasan` targets the same malformed response with a normal non-ASAN build.

`dnssec2-both` runs the ASAN build first and then the normal non-ASAN build.

`dnssec1` targets the NSEC bitmap non-advancing loop. This mode is expected to make the dnsmasq target stop answering until the runner kills it during cleanup.

The runner uses `/private/tmp/dnsmasq-live-build` for the build and `/private/tmp/dnsmasq-live-state` for generated DNSSEC keys and logs.

DNS-DHCP-1 has its own bug-local runtime PoC at `../bugs/DNS-DHCP-1-dhcpv6-relay-hop-count/poc.sh` because DHCPv6 needs separate lab plumbing for privileged ports and raw ICMPv6 startup.