[Dnsmasq-discuss] Testers wanted: DNSSEC.

Matthias Andree matthias.andree at gmx.de
Fri Feb 7 09:04:54 GMT 2014


Am 07.02.2014 09:45, schrieb Matthias Andree:
> Am 07.02.2014 09:24, schrieb Simon Kelley:
>> On 07/02/14 08:21, Jan-Piet Mens wrote:
>>>> Answering my previous question, this behaviour is specified in RFC
>>>> 6840 para 5.7. Code changes to implement it are in git now.
>>>
>>> Have they been comitted? ;-) No visible change here ...
>>
>> Ooops.   Try now.
>>
>> http://thekelleys.org.uk/gitweb/?p=dnsmasq.git;a=commitdiff;h=e243c072b591cdeff8ac00483f5a9e426729534b
>>
>>
> 
> I moved forward to test7, and now the FIRST query (the one shipping the
> RRSIG and other additional stuff) lacks the AD flag, subsequent
> responses carry it.
> 
> Do I need to disable DNSSEC verification in the BIND that dnsmasq
> forwards to to get useful test results?

No, I figured that I had forgotten an old /etc/resolv.conf in place, and
the dnsmasq I am looking at was actually forwarding to a dnsmasq 2.59
compiled for Ubuntu 12.04LTS.

With BIND or UNBOUND for a forwarder, the first response also carries
the +AD, as it does for Jan-Piet.

So scrap this report for now, we should check, however, if dnsmasq
forwarding to a second instance of itself works properly. :)




More information about the Dnsmasq-discuss mailing list