[Dnsmasq-discuss] Insecure DS reply received, do upstream DNS servers support DNSSEC?

Tore Anderson tore at fud.no
Fri Aug 30 20:11:07 BST 2019

* Simon Kelley

> I just pushed
> http://thekelleys.org.uk/gitweb/?p=dnsmasq.git;a=commit;h=fef2f1c75eba56b7355cbe729e4362474d558aa4
> Which makes the following changes:
> 1) No longer fail to validate a reply proving that a DS record doesn't
> exist if RRs in the auth section other the the NSEC/NSEC3 records needed
> for non-existence proof are not signed.
> 2) Use the TTL of the NSEC record when caching the non-existence of DS
> records.
> I'm currently testing this live here, and I'd appreciate it if you could
> give it a whirl too.

Excellent. I've been running it for a few hours now, no problems whatsoever so far.

In comparison, with HEAD^1, I could hardly use my computer for anything Internet-related.

So this is very promising indeed. Thanks!


More information about the Dnsmasq-discuss mailing list