[Dnsmasq-discuss] Feature request: allow to enable/disable --dnssec-check-unsigned per upstream server

Andre Heider a.heider at gmail.com
Tue Jan 12 10:16:18 GMT 2016


On Mon, Jan 11, 2016 at 10:27 PM, Simon Kelley <simon at thekelleys.org.uk> wrote:
> dig @5.9.49.12 dnskey . | dnssec-dsfromkey -2 -f - .
>
> The -2 flag tells dsfromkey to make the SHA256 hash
>
> . IN DS 7372 8 2
> 14A2B8CAF58BFAAE0BD7C257488A341FCC542F9F88F0B678D620324CE7B55285
>
>
> A quick re-format into dnsmasq config format gives us
>
> trust-anchor=.,7372,8,2,14A2B8CAF58BFAAE0BD7C257488A341FCC542F9F88F0B678
> D620324CE7B55285

I knew it was just a hash, but I was too lazy to look up how to get it
into a compatible format :)
dnssec-dsfromkey is the solution, thanks for that info.

Thanks,
Andre



More information about the Dnsmasq-discuss mailing list