[Dnsmasq-discuss] forwarding signed requests

[Philip Craig]

Simon Kelley wrote:
> The intention of the code is to avoid invalidating the signature of 
> signed packets by forwarding queries and returning replies bit-perfect 
> unaltered. The motivation for doing this is to allow DNSSEC to function, 
>   not for dynamic dns updates.

The changelog for 2.36 does specifically mention DDNS updates and
bit-perfect signed packets. I can see that we might need to do this for
DNSSEC too, but is that because dnsmasq doesn't have the support to sign
and verify signatures itself, or would it be needed anyway?

> You should be aware that I'm very unlikely to accept such code into the 
> dnsmasq mainline.

Understandable, the NXDOMAIN changes are dodgy. I'm trying to solve the
problem of resolving internal domains across VPNs automatically without
requiring user configuration. The idea is to query all the VPN servers,
and take the first response that is not NXDOMAIN. This means things work
by default, while still allowing user configuration to optimise things
to avoid unnecessary queries.

The timeout support is required as part of the above, but I think it
does give some improvement for the general case too: dnsmasq should be
smart enough to try another server if the first one is down, without
requiring a potentially long timeout on the client.