[Dnsmasq-discuss] possible minor bug: Caching the results of queries with +cd set...

Simon Kelley simon at thekelleys.org.uk
Tue Feb 15 15:49:46 GMT 2011


Thanks for the report; I'm pleased to say that this was fixed in version
2.56, released yesterday.

Cheers,

Simon.



Nicholas Weaver wrote:
> (Note: I don't have the version # with me right now, as the NAT in
> question is at home, I can send taht tonight)...
> 
> 
> Experimenting with DNSSEC (the Comcast no-wildcarding servers are now
> full DNSSEC), I observed the following:
> 
> www.dnssec-failed.org is a (comcast owned) domain with deliberately
> broken DNSSEC information.  The NAT I'm using uses dnsmasq and gives
> the NAT's IP for the resolver address (always)
> 
> 
> 
> dig www.dnssec-failed.org
>   properly fails
> 
> dig +cd www.dnssec-failed.org
>   properly succeeds, showing that +cd (Checking disabled) is properly
> forwarded to the resolver.
> 
> But then, a normal
> dig www.dnssec-failed.org
>   will succeed, as dnsmasq cached the result of the +cd query.
> 
> 
> Basically, queries with +cd set should bypass the cache always: they
> should both go out onto the wire with +cd set AND the result should
> not be placed in the cache.
> 
> _______________________________________________
> Dnsmasq-discuss mailing list
> Dnsmasq-discuss at lists.thekelleys.org.uk
> http://lists.thekelleys.org.uk/mailman/listinfo/dnsmasq-discuss
> 




More information about the Dnsmasq-discuss mailing list