[Dnsmasq-discuss] DNSSEC: Answer for local hosts with AD flag set?

Simon Kelley simon at thekelleys.org.uk
Wed Sep 30 22:00:56 BST 2015


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256



On 30/09/15 21:12, Jan-Piet Mens wrote:
>> Anyway I'd like to be able to mark answers for local hosts within
>> the local network as validated. Is there an option to enable
>> this?
> 
> I hope not because it would be a lie; that zone has not been signed
> and thus cannot be validated. Indicating Authentic Data would be a
> lie.

I guess the logic is that dnsmasq is the authoritative source for that
data, so it doesn't need to validate it to know that it's real. The
problem is that, unless the zone is signed, dnsmasq has no way to
prove the data is valid. It's fine setting the AD flag, but what
happens when the client sets the DO flag too, indicating that it want
to see the proof? The proof doesn't exist, so can't be given.

Simon.


> 
> My curiousity forces me to ask you: why would you want dnsmasq to
> do that? It's very simple nowadays to set up an authoritative
> DNSSEC-aware signer. Isn't that the solution you're actually
> looking for?
> 
> -JP
> 
> _______________________________________________ Dnsmasq-discuss
> mailing list Dnsmasq-discuss at lists.thekelleys.org.uk 
> http://lists.thekelleys.org.uk/mailman/listinfo/dnsmasq-discuss
> 
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2.0.22 (GNU/Linux)

iQIcBAEBCAAGBQJWDE2IAAoJEBXN2mrhkTWi0PQQAKWhhbRJCGBADTicnD9pSfT/
5sRA1wgieVCOdgKmPIC66VjdQSnb449iKZHP2z0F0xq+5sBdVpM7NidJmogJjaVa
rHIFJIVtTsJTzFDhcOXbXvD5Op2ruxalpfxMGJ2v/sBuamZ+rTnX+iKbvZ5EgFeQ
M1l/E6WLGGTptRp3eZdpv8HvluElMyXh/lWSb15qp6advdLD36ewU/5a0pPwjRpr
CrlUdG+P5VYUqF69vuncuFw3+JiAyzu8mK8VcWgtcPpslH24G6QIo6jspBK9Zejb
KUKe6PJrAuOu/JBNmmri5VxPiMzG03wOiZHkCQBne3k0ktuBYYxnNghFVJtDnDhu
Xfy7UmkbyoGZDNDSBhzuEgt/FshG8qR0PemvCpkQAuUy3PXLfSczVPJjc7svmUdG
yKMNTEBpWptnBblAJtyy6vBMQD3qJD7za/45pE0URIWMaDEXUc2i9vvOzN4ID+8p
y1WLoiWE8zvuyi2wQLJHzCTjrVjgsMfnmiOnvUceRoAtHkeHy1nhviMXe2ZZecK3
sCXfTh7UruV6Zsb7ebdnJu2mHGu53cbB9XzGv1T8SjKg+2wIMIz7K8wd0KG084dY
K6kyNrwDYwzbavrbbAzL0tPcbHCA6P7WYfBk2WNahV7HXhoWNf9DV0Vw40bwa6zu
I2PejMgLYc06IHVaIIKY
=5fNs
-----END PGP SIGNATURE-----



More information about the Dnsmasq-discuss mailing list