[Dnsmasq-discuss] Fwd: DS requests should be forwarded to the higher domain
Filippo Valsorda
filippo at cloudflare.com
Thu Sep 11 22:44:00 BST 2014
On Thu, Sep 11, 2014 at 2:15 PM, Simon Kelley <simon at thekelleys.org.uk> wrote:
> On 10/09/14 22:50, Filippo Valsorda wrote:
>> On Wed, Sep 10, 2014 at 2:05 PM, Simon Kelley <simon at thekelleys.org.uk> wrote:
>>> On 10/09/14 00:34, Filippo Valsorda wrote:
>>>> DS records are a ugly special case in DNSSEC, and they are kept not by
>>>> the zone NS but by the one on top of it.
>>>>
>>>> So when faced with a config like
>>>>
>>>> server=8.8.8.8
>>>> server=/ietf.org/64.170.98.2
>>>>
>>>> a A request for ietf.org should go to 64.170.98.2 but a DS request for
>>>> ietf.org should go to 8.8.8.8. Otherwise it won't be possible to
>>>> verify a DNSSEC chain.
>>>>
>>>> Attached is a patch that works but is horrible. Don't merge it.
>>>>
>>>> Please cc me in replies. Thanks for the project!
>>>>
>>>
>>> That's a very good point. I'm not sure that this has ever been a problem
>>> in reality, because the server given in eg
>>>
>>> server=/ietf.org/64.170.98.2
>>>
>>> has to be a recursive server, so it should still be able to answer the
>>> query for the DS record, by recursing the query to the next zone up.
>>
>> Why does it have to be a recursive server? I'm really happy using
>> dnsmasq to bind a domain to its authoritative server. Like a dynamic
>> /etc/hosts file. The only problem I encountered doing this is with the
>> DS records, but it's the spec fault ^^
>
> I guess it doesn't have to be a recursive server, but it nearly always
> is, which is important when you have to worry about how big a problem
> this is.
>
> Is your solution a complete one? What happens to a query for (eg)
>
> DS www.ietf.org
>
>
> Cheers,
>
>
> Simon.
The patch is horrible but complete IMHO. A DS www.ietf.org would only
happen if there was a DNSKEY www.ietf.org (while the common case is
DNSKEY ietf.org) and in that case it would have to be in the ietf.org
zone. So yeah, the patch would do the right thing.
I'm not sure what the second call to search_servers is, tho.
>>> In fact, my guess is that very, very, few people have ever tried to do
>>> DNSSEC with servers for particular zones. It's usually used to handle
>>> private domains that aren't in the "global" DNS, - and very few of those
>>> will be DNSSEC enabled.
>>>
>>>
>>> Cheers,
>>>
>>> Simon.
>>>
>>
>> I second that it's more of a development setup, but I still think this
>> is a bug :)
More information about the Dnsmasq-discuss
mailing list