[Dnsmasq-discuss] Fwd: DS requests should be forwarded to the higher domain

[Filippo Valsorda]

On Wed, Sep 10, 2014 at 2:05 PM, Simon Kelley <simon at thekelleys.org.uk> wrote:
> On 10/09/14 00:34, Filippo Valsorda wrote:
>> DS records are a ugly special case in DNSSEC, and they are kept not by
>> the zone NS but by the one on top of it.
>>
>> So when faced with a config like
>>
>> server=8.8.8.8
>> server=/ietf.org/64.170.98.2
>>
>> a A request for ietf.org should go to 64.170.98.2 but a DS request for
>> ietf.org should go to 8.8.8.8. Otherwise it won't be possible to
>> verify a DNSSEC chain.
>>
>> Attached is a patch that works but is horrible. Don't merge it.
>>
>> Please cc me in replies. Thanks for the project!
>>
>
> That's a very good point. I'm not sure that this has ever been a problem
> in reality, because the server given in eg
>
> server=/ietf.org/64.170.98.2
>
> has to be a recursive server, so it should still be able to answer the
> query for the DS record, by recursing the query to the next zone up.

Why does it have to be a recursive server? I'm really happy using
dnsmasq to bind a domain to its authoritative server. Like a dynamic
/etc/hosts file. The only problem I encountered doing this is with the
DS records, but it's the spec fault ^^

> In fact, my guess is that very, very, few people have ever tried to do
> DNSSEC with servers for particular zones. It's usually used to handle
> private domains that aren't in the "global" DNS, - and very few of those
> will be DNSSEC enabled.
>
>
> Cheers,
>
> Simon.
>

I second that it's more of a development setup, but I still think this
is a bug :)