[Dnsmasq-discuss] Automatic DNSSEC-signing of ressource records
Simon Kelley
simon at thekelleys.org.uk
Thu Sep 11 20:37:57 BST 2014
On 11/09/14 14:50, Jeroen van der Ham wrote:
> Hi,
>
> On 22 Aug 2014, at 16:57, Rene Bartsch <ml at bartschnet.de> wrote:
>> BIND and PowerDNS can sign resource records automatically when run
>> as primary DNS with DNSSEC. Does Dnsmasq support signing resource
>> records automatically in authoritative mode or are there any plans
>> to support automatic zone signing in authoritative mode?
>
> When exactly would you want dnsmasq to run as an authoritative name
> server?
When you have global addresses on your home network, and want to be able
to contact laptop.mydomain or fridge.mydomain from outside. Not a common
situation now, but very likely as IPv6 spreads. Dnsmasq can already do
this, BTW, look in the man page for authoritative mode. What it can't do
to serve the records signed, so there's not DNSSEC protection against MitM
>
> Note that signing records is not as simple as just flipping a switch,
> the key has to be trusted as well. Which means that you have to
> register a key at your registrar.
Making you domain appear in the global DNS needs a delegation anyway.
Adding a DS record is not so much harder.
Cheers,
Simon.
>
> If it is for private use, there is no reason to use DNSSEC anyway.
>
> Jeroen.
>
>
> _______________________________________________ Dnsmasq-discuss
> mailing list Dnsmasq-discuss at lists.thekelleys.org.uk
> http://lists.thekelleys.org.uk/mailman/listinfo/dnsmasq-discuss
>
More information about the Dnsmasq-discuss
mailing list