[Dnsmasq-discuss] server-side dynamic resolving

John Hallam dns at j.hallam.dk
Tue Aug 14 16:48:09 BST 2012


On Tue, Aug 14, 2012 at 08:16:02AM -0500, /dev/rob0 wrote:

> On Mon, Aug 13, 2012 at 07:10:58PM +0200, John Hallam wrote:
> > * If you are wondering, why two caches, the reason is that dnsmasq
> > allows me to redirect troublemaker domains to the black hole easily,
> > while dnscache is a somewhat-paranoid full recursive caching
> > resolver.  (The dnsmasq has to forward queries to the dnscache;  the
> > reverse doesn't work straightforwardly.)
> 
> FSVO "full" and "paranoid". dnscache does not support DNSSEC 
> signature verification, does it? Is anybody hacking on it since its 
> abandonment?

  No, it doesn't support DNSSEC as far as I am aware.  And I don't
think anyone plans to add the facility to it.  If you care about
DNSSEC there are other good alternatives to bind available.

  (By somewhat-paranoid etc., I meant that dnscache always starts its
resolution chain from the roots, only trusts authoritative servers and
won't talk to upstream caches if working as a recursive resolver.
(Fully-paranoid would also verify the zone signatures on each step.))

Cheers,

	John



More information about the Dnsmasq-discuss mailing list