[Dnsmasq-discuss] DNSSEC in dnsmasq's parent zone
Uwe Kleine-König
uwe+dnsmasq at kleine-koenig.org
Mon Jan 20 15:52:56 UTC 2025
Hello again,
On Mon, Jan 20, 2025 at 11:32:57AM +0100, Uwe Kleine-König wrote:
> On Sun, Jan 19, 2025 at 11:50:23PM +0000, Simon Kelley wrote:
> > If you add a DS record for
> > kleine-koenig.org to your config, it should work, assuming that
> > 192.168.128.3 is DNSSEC capable.
>
> Now I added
>
> trust-anchor=kleine-koenig.org,34607,13,2,FF05DA4F2E6A2692421FA7ED99DF07205A6A04ABC917F26CD7E781520A2652D1
>
> which matches the DS record for kleine-koenig.org in both the public DNS
> and the internal view and now delv happy.kk4.kleine-koenig.org works
> (same output as above, with "unsigned answer" as expected).
I did that on another router running an older OpenWrt (that is, it
doesn't include your recent changes) and that made DNSSEC verification
also work in that router's lan. Is that expected?
Best regards
Uwe
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 488 bytes
Desc: not available
URL: <http://lists.thekelleys.org.uk/pipermail/dnsmasq-discuss/attachments/20250120/f6491f33/attachment.sig>
More information about the Dnsmasq-discuss
mailing list