[Dnsmasq-discuss] DNSSEC in dnsmasq's parent zone
Uwe Kleine-König
uwe+dnsmasq at kleine-koenig.org
Tue Jan 21 13:12:23 UTC 2025
On Mon, Jan 20, 2025 at 04:52:56PM +0100, Uwe Kleine-König wrote:
> Hello again,
>
> On Mon, Jan 20, 2025 at 11:32:57AM +0100, Uwe Kleine-König wrote:
> > On Sun, Jan 19, 2025 at 11:50:23PM +0000, Simon Kelley wrote:
> > > If you add a DS record for
> > > kleine-koenig.org to your config, it should work, assuming that
> > > 192.168.128.3 is DNSSEC capable.
> >
> > Now I added
> >
> > trust-anchor=kleine-koenig.org,34607,13,2,FF05DA4F2E6A2692421FA7ED99DF07205A6A04ABC917F26CD7E781520A2652D1
> >
> > which matches the DS record for kleine-koenig.org in both the public DNS
> > and the internal view and now delv happy.kk4.kleine-koenig.org works
> > (same output as above, with "unsigned answer" as expected).
>
> I did that on another router running an older OpenWrt (that is, it
> doesn't include your recent changes) and that made DNSSEC verification
> also work in that router's lan. Is that expected?
I take that back, it doesn't work. I think when I came to the conclusion
that it does work, my host's resolver settings used a different
nameserver than I expected. So indeed your changes in 2.91test8 are
relevant for my setup.
Best regards
Uwe
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 488 bytes
Desc: not available
URL: <http://lists.thekelleys.org.uk/pipermail/dnsmasq-discuss/attachments/20250121/f76e73af/attachment.sig>
More information about the Dnsmasq-discuss
mailing list