[Dnsmasq-discuss] Test report (success) for NTAs in 2.92test21

Wed Sep 3 15:10:21 UTC 2025

I've been wanting to be able to enable DNSSEC validation for only specific zones in dnsmasq for some time, and the features added in this commit allow me to do it!

---
57f0489f384193f7c962fb2a20c9e2e867f86039

Redesign the interaction between DNSSEC vaildation and per-domain servers.

This should just work in all cases now. If the normal chain-of-trust exists into
the delegated domain then whether the domain is signed or not, DNSSEC
validation will function normally. In the case the delgated domain
is an "overlay" on top of the global DNS and no NS and/or DS records
exist connecting it to the global dns, then if the domain is
unsigned the situation will be handled by synthesising a
proof-of-non-existance-of-DS for the domain and queries will be
answered unvalidated; this action will be logged. A signed domain
without chain-of-trust can be validated if a suitable trust-anchor
is provided using --trust-anchor.

Thanks to Uwe Kleine-König for prompting this change, and contributing
valuable insights into what could be improved.
---

I tested this version of dnsmasq on my laptop at a hotel; the hotel's resolver returns RRSIG RRs when requested, but does not return DS or DNSKEY RRs when requested, so I cannot enable DNSSEC validation for all zones because any signed zone would result in failure. However, I've got a personal zone that I want validated responses from (so that OpenSSH can trust the AD bit and use SSHFP records), and I've included a trust-anchor for that zone in the dnsmasq configuration.

---
no-daemon
port=9953
no-resolv
dnssec
trust-anchor=.
server=/./10.1.10.1
trust-anchor=km6g.us,11487,13,2,693434c00cf3f8cdca0a8960f7b6df9913c61e619b2c46d4b10d612a99496b0d
server=/km6g.us/fddd:a03f:2620:189::6e
---

I've also included a 'server' setting to forward queries for that zone to its hidden primary auth server, for cases where the local resolver from the hotel/etc. won't even return RRSIG RRs when requested.

This works smoothly; the NTA for the root zone stops validation for any zone except km6g.us, and the TA for that zone allows validation of that zone to work as desired. Queries for names in that zone return the AD bit as they should.

Now I'll be eagerly anticipating both the release of dnsmasq 2.92 and its inclusion into OpenWrt :-)
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.thekelleys.org.uk/pipermail/dnsmasq-discuss/attachments/20250903/f1963a0a/attachment.htm>