[Dnsmasq-discuss] Feature request: allow to enable/disable --dnssec-check-unsigned per upstream server
Andre Heider
a.heider at gmail.com
Sun Jan 10 14:46:19 GMT 2016
Hi,
On Sat, Jan 9, 2016 at 7:25 PM, Simon Kelley <simon at thekelleys.org.uk> wrote:
> No that one slipped though the net. Thinking about that some more,
> there are likely fundamental problems with doing ant DNSSEC on
> servers handling subdomains, since the chain-of-trust isn't going to wor
> k.
>
> EG. you run dnsmasq with
>
> server=/example.com/<ip-of-server>
>
> This is likely because that server knows about stuff under example.com
> which is not known about by the "global" DNS server which dnsmasq is
> forwarding to. Even if the example.com server is signing DNSSEC, it's
> highly unlikely that dnsmasq will be able to validate its output,
> since the chain-of-trust won't reach to it. If you're going to the
> trouble of getting the DS record for example.com signed by the .com
> administrators, then you may as well have them serve the delegation as
> well, and make example.com globally visible.
>
> It therefore makes sense to turn off DNSSEC validation for any domains
> handled by such servers.
>
> The next stage would be to turn it back on if there's a trust-anchor
> supplied for the domain. That would allow DNS servers for private
> domains to work with DNSSEC. Doing that is predicated on making the
> dnsmasq validation code work with non-root trust anchors. I don't
> think it does at the moment.
>
> So, that's a plan.
>
> 1) disable validation when forwarding to servers for a domain.
>
> and longer term
>
> 2) make non-root trust anchors work and turn it back on is one is
> provided.
>
>
> Comments?
It would be solving the .onion problem without the security issue of
disabling dnsseccheckunsigned.
But there are already non IANA TLDs using DNSSEC out there, like
opennic, see [0].
Right now I can make use of that, e.g. with their .free TLD:
* dig +tcp +multi +noall +answer DS free @5.9.49.12
* trust-anchor=free,<output from earlier step>
* server=/free/5.9.49.12
and make dnsmasq resolve e.g. reg.for.free with dnssec enabled (next
to all the IANA TLDs). Your plan would break that until 2) is
implemented.
Having that that, this example isn't a clear solution either. It
fishes out the .free DS record since it's the only way I could find to
tell dnsmasq about it (using the trust-anchor "domain" field).
Maybe "named" trust-anchors are the most flexible solution. Something like this:
* trust-anchor=iana,...
* trust-anchor=opennic,...
* server=x.x.x.x/iana
* server=/free/x.x.x.x/opennic
* server=/indy/x.x.x.x/opennic
* server=/onion/x.x.x.x/none
But whatever 2) will be, having 1) so we don't have to disable
dnsseccheckunsigned would be a first step.
Thanks,
Andre
[0] http://wiki.opennicproject.org/dnssecroot
More information about the Dnsmasq-discuss
mailing list