[Dnsmasq-discuss] Insecure DS reply received, do upstream DNS servers support DNSSEC?
tore at fud.no
Fri Aug 30 20:11:07 BST 2019
* Simon Kelley
> I just pushed
> Which makes the following changes:
> 1) No longer fail to validate a reply proving that a DS record doesn't
> exist if RRs in the auth section other the the NSEC/NSEC3 records needed
> for non-existence proof are not signed.
> 2) Use the TTL of the NSEC record when caching the non-existence of DS
> I'm currently testing this live here, and I'd appreciate it if you could
> give it a whirl too.
Excellent. I've been running it for a few hours now, no problems whatsoever so far.
In comparison, with HEAD^1, I could hardly use my computer for anything Internet-related.
So this is very promising indeed. Thanks!
More information about the Dnsmasq-discuss