[Dnsmasq-discuss] Automatic DNSSEC-signing of ressource records

Jeroen van der Ham vdham at uva.nl
Thu Sep 11 19:14:20 BST 2014


Hi,

On 11 Sep 2014, at 19:40, Jim Gettys <jg at freedesktop.org> wrote:
>> When exactly would you want dnsmasq to run as an authoritative name server?
> 
> ​All the time, for my home network.  It's my name space, I control it, and I need to have control over what names are globally/locally visible.

DNSSEC is not about visibility.

>> Note that signing records is not as simple as just flipping a switch, the key has to be trusted as well. Which means that you have to register a key at your registrar.
>> 
>> If it is for private use, there is no reason to use DNSSEC anyway.
> 
> ​Sure there is; other wise any connection to devices on your home network are vulnerable to MITM attacks.  I can't/should not have to trust either my ISP or registrar with my signing keys.  As we've seen over the lsat year, there are "interesting" people out on the Internet doing bad things these days.

Ehm, are you sure you understand what DNSSEC is, and what automatic signing means?

DNSSEC is that you use keys to sign records. The way trust in these keys is established is through a trusted hierarchy of signed keys from the DNS root down to the key used for signing. The resolver has a hardcoded key for the root, so that it can follow this hierarchy and establish trust.

So yes, DNSSEC prevents MitM attacks, but only for public domains that have an established key in place. That being said, you still have to trust your resolver, or use a local resolver on your machine that does the verification.


Or do you mean that dnsmasq automatically *verifies* DNSSEC records?


Jeroen.




More information about the Dnsmasq-discuss mailing list