[Dnsmasq-discuss] dnsmasq and "AD" flag forwarding

Tomas Hozza thozza at redhat.com
Mon Dec 16 11:13:24 GMT 2013

----- Original Message -----
> I can see at least one bug in the code: in the code-path taken to answer
> a query from the cache, the value of the AD flag is never changed: it
> simply takes the value that it had in the query. I guess the
> "authenticated" status of the data should be cached, and used to provide
> this information.

I'm sure there is nothing wrong with caching the AD flag. However as stated
in the --proxy-dnssec documentation, dnsmasq as non-validating resolver should
not return the AD flag to clients, unless the --proxy-dnssec option is used.
> I'm currently deep into work to provide DNSSEC validation in dnsmasq,
> and all of this code is therefore subject to massive revision in the
> near future. I'll address the behaviour when dnsmasq is NOT validating
> itself as part of that work.

I can understand that implementing the DNSSEC validation is hard task
and requires a lot of time and effort.

I can try to come up with a patch for the "AD" flag forwarding if you could
agree with me on what is the correct behaviour here. Also what is the
role of --proxy-dnssec option.




> Cheers,
> Simon.

More information about the Dnsmasq-discuss mailing list