[Dnsmasq-discuss] Feature request: allow to enable/disable --dnssec-check-unsigned per upstream server

Simon Kelley simon at thekelleys.org.uk
Sat Jan 9 18:25:04 GMT 2016


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256



On 08/01/16 14:18, Andre Heider wrote:
> Hi,
> 
> On Sat, Sep 6, 2014 at 6:55 PM, Simon Kelley
> <simon at thekelleys.org.uk> wrote:
>> On 29/08/14 08:59, Rene Bartsch wrote:
>>> Hi,
>>> 
>>> I'm running Dnsmasq with DNSSEC-validation and
>>> "--dnssec-check-unsigned" enabled.
>>> "server=/onion/127.0.0.1#9053" forwards .onion-queries to the 
>>> TOR-resolver. Unfortunately the TOR-resolver provides A-RRs
>>> only. So resolving .onion-domains fails when
>>> "--dnssec-check-unsigned" is enabled.
>>> 
>>> Please extend "--dnssec-check-unsigned" with an option for the
>>> server address and port.
>>> 
>>> "dnssec-check-unsigned" would enable for all upstream servers.
>>> 
>>> "dnssec-check-unsigned=127.0.0.1#9053" would enable only for 
>>> 127.0.0.1#9053.
>>> 
>> 
>> This ties in with something I was considering, which is to be
>> able to disable DNSSEC checking for particular upstream servers.
>> I guess it's better to associate it with the the server than
>> enable-dnssec or dnssec-check-unsigned, so we could have
>> 
>> server-no-dnssec=/onion/127.0.0.1#9053
>> 
>> or
>> 
>> server-no-dnssec-unsigned=/onion/127.0.0.1#9053
> 
> I just ran into this, was anything implemented to allow disabling 
> dnssec for selected servers?
> 
> Regards, Andre
> 
No that one slipped though the net. Thinking about that some more,
there are likely fundamental problems with doing ant DNSSEC  on
servers handling subdomains, since the chain-of-trust isn't going to wor
k.

EG. you run dnsmasq with

server=/example.com/<ip-of-server>

This is likely because that server knows about stuff under example.com
which is not known about by the "global" DNS server which dnsmasq is
forwarding to. Even if the example.com server is signing DNSSEC, it's
highly unlikely that dnsmasq will be able to validate its output,
since the chain-of-trust won't reach to it. If you're going to the
trouble of getting the DS record for example.com signed by the .com
administrators, then you may as well have them serve the delegation as
well, and make example.com globally visible.

It therefore makes sense to turn off DNSSEC validation for any domains
handled by such servers.

The next stage would be to turn it back on if there's a trust-anchor
supplied for the domain. That would allow DNS servers for private
domains to work with DNSSEC. Doing that is predicated on making the
dnsmasq validation code work with non-root trust anchors. I don't
think it does at the moment.

So, that's a plan.

1) disable validation when forwarding to servers for a domain.

and longer term

2) make non-root trust anchors work and turn it back on is one is
provided.


Comments?

Simon.



-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2.0.22 (GNU/Linux)

iQIcBAEBCAAGBQJWkVCAAAoJEBXN2mrhkTWiAbIP/ibFSvVuBhA3jsB84CZpDwZV
hKNUdxaLahxK4Hh8ccDYqYyeghIR8OKZmVnI2QUBm9nFK2r2FSP8jzQosDm+eitn
Ef+j8anZTudTFOwaeZwS62i1DDxXjj+HjupFJ2LVs8Y2gcbERaqxzEQpEubwLwWj
bbnqLMq2Z0irvtlxcxDP4NZGb5DUbEGYokjv/n6UaNIce4jG1ep3mgJY1TwPFhTk
Y9/0hkWrXyWuya4BqqLSpxyKwRRs5E9AeiSyGFiYBcPfX8gXhA8RE+r22ds3jYpc
KGFrwuZqVQznc6YbY+CNovy4mYwAnphFNZl2OZGa/4y/rwsR+87fXJbSzCmTjFNx
IgQevAX8YG5o2ovheOlDv/KO+X9E/Z+FbiDks3MRsTZpzFsDXFQm/6BSEhxquX8A
RFfXL7pZLaAaMOa2lvjdevgRq6z3iNyAAKdWlBbk/P7rw4VFGFaniUOpHKk5uavw
us945QCAdjXRRfEZ4qD9jviMShE5Jf+AqCieskMPyvJ5IYOvx2Barlz0NpndOzG1
Z/ITrEZJ6bgUTMIRyHVXfgV1lqyQ7btpAFT/FgzninMWp6QlQH2c8B29Ay6bhIbo
iJqoeoPYZurVK6xN6oMnSUW/Y+N9yX51CKuHbF1kwSXXyVhMEu1dZa8ABcg9EEsy
Q7niSaD3k0WVJ/WG0Vkp
=lygh
-----END PGP SIGNATURE-----



More information about the Dnsmasq-discuss mailing list