[Dnsmasq-discuss] Fwd: DS requests should be forwarded to the higher domain

Simon Kelley simon at thekelleys.org.uk
Wed Sep 10 22:05:14 BST 2014


On 10/09/14 00:34, Filippo Valsorda wrote:
> DS records are a ugly special case in DNSSEC, and they are kept not by
> the zone NS but by the one on top of it.
> 
> So when faced with a config like
> 
> server=8.8.8.8
> server=/ietf.org/64.170.98.2
> 
> a A request for ietf.org should go to 64.170.98.2 but a DS request for
> ietf.org should go to 8.8.8.8. Otherwise it won't be possible to
> verify a DNSSEC chain.
> 
> Attached is a patch that works but is horrible. Don't merge it.
> 
> Please cc me in replies. Thanks for the project!
> 

That's a very good point. I'm not sure that this has ever been a problem
in reality, because the server given in eg

server=/ietf.org/64.170.98.2

has to be a recursive server, so it should still be able to answer the
query for the DS record, by recursing the query to the next zone up.

In fact, my guess is that very, very, few people have ever tried to do
DNSSEC with servers for particular zones. It's usually used to handle
private domains that aren't in the "global" DNS, - and very few of those
will be DNSSEC enabled.


Cheers,

Simon.




More information about the Dnsmasq-discuss mailing list