[Dnsmasq-discuss] Fwd: [Cerowrt-devel] Fwd: Testers wanted: DNSSEC.

Dave Taht dave.taht at gmail.com
Wed Feb 5 17:25:27 GMT 2014


---------- Forwarded message ----------
From: Toke Høiland-Jørgensen <toke at toke.dk>
Date: Wed, Feb 5, 2014 at 12:10 PM
Subject: Re: [Cerowrt-devel] Fwd: [Dnsmasq-discuss] Testers wanted: DNSSEC.
To: Dave Taht <dave.taht at gmail.com>
Cc: "cerowrt-devel at lists.bufferbloat.net" <cerowrt-devel at lists.bufferbloat.net>


Toke Høiland-Jørgensen <toke at toke.dk> writes:

> Can add it to my bufferbloat OBS :)

Right, so packages available for Arch, Debian 7 and Ubuntu 12.04, 12.10
and 13.10 are available from here:
https://build.opensuse.org/project/repositories/home:tohojo:dnsmasq

For some reason, signature verification is failing for me on the Arch
repo.


Also, installed it on my workstation, and it seems to do *something* at
least. Running with --log-queries I get output like this:

dnsmasq[19525]: dnssec-query[DNSKEY] tohojo.dk to 127.0.0.1
dnsmasq[19525]: dnssec-query[DNSKEY] tohojo.dk to 127.0.0.1
dnsmasq[19525]: dnssec-query[DS] tohojo.dk to 127.0.0.1
dnsmasq[19525]: dnssec-query[DS] tohojo.dk to 127.0.0.1
dnsmasq[19525]: reply tohojo.dk is DS keytag 49471
dnsmasq[19525]: reply tohojo.dk is DNSKEY keytag 30141
dnsmasq[19525]: reply tohojo.dk is DNSKEY keytag 49471
dnsmasq[19525]: validation result is SECURE

(I'm still running BIND on localhost on a different port which is why
it's forwarded to there...)

And sometimes there's also lines saying

dnsmasq[19525]: validation result is INSECURE

but mostly from in-addr.arpa and other places that I wouldn't expect to
be verified.

Finally there's a bunch of queries that don't say anything about dnssec
anywhere.

Oh, and --dnssec-debug doesn't seem to do anything.

-Toke


-- 
Dave Täht

Fixing bufferbloat with cerowrt: http://www.teklibre.com/cerowrt/subscribe.html
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 499 bytes
Desc: not available
URL: <http://lists.thekelleys.org.uk/pipermail/dnsmasq-discuss/attachments/20140205/78dc8d33/attachment.pgp>


More information about the Dnsmasq-discuss mailing list