[Dnsmasq-discuss] Automatic DNSSEC-signing of ressource records

[Jeroen van der Ham]

Hi,

On 11 Sep 2014, at 20:54, Rene Bartsch <ml at bartschnet.de> wrote:

> Am 2014-09-11 15:50, schrieb Jeroen van der Ham:
> If you want to use your public domain in the local network (e.g. to resolve hostnames on multiple locations/local networks) and verify host certificates with DANE you usually have to run Dnsmasq as caching resolver and DHCP-server on the router and an additionally primary nameserver hosted in a data-center.

Fair enough.

> You also have to synchronize a lot of resource records between Dnsmasq DHCP and primary nameserver. If Dnsmasq supports automatic signing of resource records and your internet socket has a public static IP you save the additional primary nameserver as Dnsmasq can handle this. And you do not need proprietary synchronization mechanisms between Dnsmasq DHCP and primary nameserver.

Ah you mean you want to use DNSmasq to do the automatic translation from DHCP leases to DNS, and then automatically sign them. I would still advise you to use a secondary nameserver, unless you’re not running any mission-critical systems (in which case I think this is somewhat over the top)

> You may also want to use Dnsmasq as a much simpler alternative to BIND/PowerDNS.
> 
> Last but not least consumer routers can act as primary nameservers for consumer domains with an easy to administrate web-interface.

I completely agree.

What I have trouble with though is that DNSSEC is not yet at a stage where it is easy to use. It certainly is still not easy to troubleshoot and pinpoint problems. This goes beyond having an easy interface to the DNS system itself, or automatic signing of records.

Jeroen.