[Dnsmasq-discuss] DNSSEC: Answer for local hosts with AD flag set?
Tomas Hozza
thozza at redhat.com
Mon Oct 5 11:07:17 BST 2015
On 03.10.2015 07:53, Stéphane Guedon wrote:
> Le vendredi 2 octobre 2015, 19:34:30 Ernst Ahlers a écrit :
>> Thanks for chiming in Stephane,
>>
>>> Allowing dnsmasq to sign (or give a proof of authenticity) would solve
>>> this
>>> problem, yet I am sure it is not easy.
>>
>> AFAIK there's no provision yet in dnsmasq for keeping signed domains.
>> After all it was never intended to be a fully fledged DNS server.
>>
>> So the only viable option I see now would be switching to Unbound --
>> which AVM is unlikely to do IMHO.
>>
>> Have a nice weekend all around!
>>
>> Ernst
>
> Unbound is only a resolver.
>
> To replace dhcp and dns on lan, you might need a dhcp+bind with split mode.
>
> Bind would then allow you also to resolve (as it's the all-in-one dns).
You can have a local zone with local data also in Unbound.
Check https://unbound.nlnetlabs.nl/documentation/unbound.conf.html
and the options 'local-zone' and 'local-data' or 'stub-zone'.
I would say Unbound is as much authoritative server as dnsmasq tries to be.
Plus Unbound can be easily reconfigured during runtime.
Regards,
--
Tomas Hozza
Software Engineer - EMEA ENG Developer Experience
PGP: 1D9F3C2D
UTC+2 (CEST)
Red Hat Inc. http://cz.redhat.com
More information about the Dnsmasq-discuss
mailing list