[Dnsmasq-discuss] forwarding signed requests
Simon Kelley
simon at thekelleys.org.uk
Wed Mar 18 09:46:07 GMT 2009
Philip Craig wrote:
> Why does dnsmasq have support for forwarding signed requests?
> The changelog indicates that this was added for dynamic dns updates.
>
> But I've tried to understand how dns updates work from RFC 2136, and
> also Microsoft's description at:
> http://technet.microsoft.com/en-us/library/cc784052.aspx
> and my understanding is that the client will only send these requests
> to the primary server for the domain, which will never be the dnsmasq
> server.
>
> ie the process is:
> 1. send a SOA query to dnsmasq (no signing needed)
> 2. send an update request to the primary server (signed)
>
> The RFC does talk about forwarding, but only in the context of
> a zone slave forwarding to a master, which does not apply for dnsmasq.
>
> What am I missing?
The intention of the code is to avoid invalidating the signature of
signed packets by forwarding queries and returning replies bit-perfect
unaltered. The motivation for doing this is to allow DNSSEC to function,
not for dynamic dns updates.
>
> The reason I ask is that I am looking at adding some support for
> retrying different servers for timeouts or NXDOMAIN responses,
> which will require storing either the original query or a
> NXDOMAIN response, and I'm trying to understand how the signed
> request support should interact with this.
You should be aware that I'm very unlikely to accept such code into the
dnsmasq mainline.
Cheers,
Simon.
>
>
> _______________________________________________
> Dnsmasq-discuss mailing list
> Dnsmasq-discuss at lists.thekelleys.org.uk
> http://lists.thekelleys.org.uk/mailman/listinfo/dnsmasq-discuss
>
More information about the Dnsmasq-discuss
mailing list