[Dnsmasq-discuss] forwarding signed requests

Simon Kelley simon at thekelleys.org.uk
Wed Mar 18 09:46:07 GMT 2009


Philip Craig wrote:
> Why does dnsmasq have support for forwarding signed requests?
> The changelog indicates that this was added for dynamic dns updates.
> 
> But I've tried to understand how dns updates work from RFC 2136, and
> also Microsoft's description at:
> 	http://technet.microsoft.com/en-us/library/cc784052.aspx
> and my understanding is that the client will only send these requests
> to the primary server for the domain, which will never be the dnsmasq
> server.
> 
> ie the process is:
> 1. send a SOA query to dnsmasq (no signing needed)
> 2. send an update request to the primary server (signed)
> 
> The RFC does talk about forwarding, but only in the context of
> a zone slave forwarding to a master, which does not apply for dnsmasq.
> 
> What am I missing?

The intention of the code is to avoid invalidating the signature of 
signed packets by forwarding queries and returning replies bit-perfect 
unaltered. The motivation for doing this is to allow DNSSEC to function, 
  not for dynamic dns updates.

> 
> The reason I ask is that I am looking at adding some support for
> retrying different servers for timeouts or NXDOMAIN responses,
> which will require storing either the original query or a
> NXDOMAIN response, and I'm trying to understand how the signed
> request support should interact with this.

You should be aware that I'm very unlikely to accept such code into the 
dnsmasq mainline.


Cheers,

Simon.

> 
> 
> _______________________________________________
> Dnsmasq-discuss mailing list
> Dnsmasq-discuss at lists.thekelleys.org.uk
> http://lists.thekelleys.org.uk/mailman/listinfo/dnsmasq-discuss
> 




More information about the Dnsmasq-discuss mailing list