[Dnsmasq-discuss] Feature request: allow to enable/disable --dnssec-check-unsigned per upstream server
Andre Heider
a.heider at gmail.com
Fri Jan 8 14:18:01 GMT 2016
Hi,
On Sat, Sep 6, 2014 at 6:55 PM, Simon Kelley <simon at thekelleys.org.uk> wrote:
> On 29/08/14 08:59, Rene Bartsch wrote:
>> Hi,
>>
>> I'm running Dnsmasq with DNSSEC-validation and "--dnssec-check-unsigned"
>> enabled. "server=/onion/127.0.0.1#9053" forwards .onion-queries to the
>> TOR-resolver. Unfortunately the TOR-resolver provides A-RRs only. So
>> resolving .onion-domains fails when "--dnssec-check-unsigned" is enabled.
>>
>> Please extend "--dnssec-check-unsigned" with an option for the server
>> address and port.
>>
>> "dnssec-check-unsigned" would enable for all upstream servers.
>>
>> "dnssec-check-unsigned=127.0.0.1#9053" would enable only for
>> 127.0.0.1#9053.
>>
>
> This ties in with something I was considering, which is to be able to
> disable DNSSEC checking for particular upstream servers. I guess it's
> better to associate it with the the server than enable-dnssec or
> dnssec-check-unsigned, so we could have
>
> server-no-dnssec=/onion/127.0.0.1#9053
>
> or
>
> server-no-dnssec-unsigned=/onion/127.0.0.1#9053
I just ran into this, was anything implemented to allow disabling
dnssec for selected servers?
Regards,
Andre
More information about the Dnsmasq-discuss
mailing list