Hi. I have been trying to understand what --proxy-dnssec option does.
>From what I understand if NOT used, dnsmasq will NOT forward the AD flag set by the upstream server to its clients. If the --proxy-dnssec option is used, dnsmasq WILL forward the AD flag in the DNS answer IF it was set by the upstream server. If this is correct, then the dnsmasq behaviour differs. I run: [root@localhost ~]# dnsmasq -d --bind-interfaces --interface=lo --server=8.8.8.8 --no-resolv dnsmasq: started, version 2.68 cachesize 150 dnsmasq: compile time options: IPv6 GNU-getopt DBus no-i18n IDN DHCP DHCPv6 no-Lua TFTP no-conntrack ipset auth dnsmasq: using nameserver 8.8.8.8#53 dnsmasq: read /etc/hosts - 2 addresses and then on the same machine I run DIG: [root@localhost ~]# dig @127.0.0.1 nic.cz ; <<>> DiG 9.9.4-RedHat-9.9.4-8.fc20 <<>> @127.0.0.1 nic.cz ; (1 server found) ;; global options: +cmd ;; Got answer: ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 35121 ;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 1 ;; OPT PSEUDOSECTION: ; EDNS: version: 0, flags:; udp: 512 ;; QUESTION SECTION: ;nic.cz. IN A ;; ANSWER SECTION: nic.cz. 865 IN A 217.31.205.50 ;; Query time: 29 msec ;; SERVER: 127.0.0.1#53(127.0.0.1) ;; WHEN: Wed Dec 11 14:47:11 CET 2013 ;; MSG SIZE rcvd: 51 [root@localhost ~]# dig @127.0.0.1 nic.cz ; <<>> DiG 9.9.4-RedHat-9.9.4-8.fc20 <<>> @127.0.0.1 nic.cz ; (1 server found) ;; global options: +cmd ;; Got answer: ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 39434 ;; flags: qr rd ra ad; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 0 ;; QUESTION SECTION: ;nic.cz. IN A ;; ANSWER SECTION: nic.cz. 863 IN A 217.31.205.50 ;; Query time: 0 msec ;; SERVER: 127.0.0.1#53(127.0.0.1) ;; WHEN: Wed Dec 11 14:47:13 CET 2013 ;; MSG SIZE rcvd: 40 You can see that after dnsmasq caches the answer it sets AD flag for every subsequent query received from client. If I set the the --cache-size=0, AD flag is never set. Also subsequent queries look fine. However if I run dnsmasq as follows: [root@localhost ~]# dnsmasq -d --bind-interfaces --interface=lo --server=8.8.8.8 --no-resolv --cache-size=0 --proxy-dnssec dnsmasq: started, version 2.68 cache disabled dnsmasq: compile time options: IPv6 GNU-getopt DBus no-i18n IDN DHCP DHCPv6 no-Lua TFTP no-conntrack ipset auth dnsmasq: using nameserver 8.8.8.8#53 dnsmasq: read /etc/hosts - 2 addresses Then the AD flag is never forwarded to the client: [root@localhost ~]# dig @127.0.0.1 nic.cz ; <<>> DiG 9.9.4-RedHat-9.9.4-8.fc20 <<>> @127.0.0.1 nic.cz ; (1 server found) ;; global options: +cmd ;; Got answer: ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 34661 ;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 1 ;; OPT PSEUDOSECTION: ; EDNS: version: 0, flags:; udp: 512 ;; QUESTION SECTION: ;nic.cz. IN A ;; ANSWER SECTION: nic.cz. 670 IN A 217.31.205.50 ;; Query time: 26 msec ;; SERVER: 127.0.0.1#53(127.0.0.1) ;; WHEN: Wed Dec 11 14:50:25 CET 2013 ;; MSG SIZE rcvd: 51 [root@localhost ~]# dig @127.0.0.1 nic.cz ; <<>> DiG 9.9.4-RedHat-9.9.4-8.fc20 <<>> @127.0.0.1 nic.cz ; (1 server found) ;; global options: +cmd ;; Got answer: ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 44968 ;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 1 ;; OPT PSEUDOSECTION: ; EDNS: version: 0, flags:; udp: 512 ;; QUESTION SECTION: ;nic.cz. IN A ;; ANSWER SECTION: nic.cz. 1034 IN A 217.31.205.50 ;; Query time: 25 msec ;; SERVER: 127.0.0.1#53(127.0.0.1) ;; WHEN: Wed Dec 11 14:50:30 CET 2013 ;; MSG SIZE rcvd: 51 [root@localhost ~]# dig @8.8.8.8 nic.cz ; <<>> DiG 9.9.4-RedHat-9.9.4-8.fc20 <<>> @8.8.8.8 nic.cz ; (1 server found) ;; global options: +cmd ;; Got answer: ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 17357 ;; flags: qr rd ra ad; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 1 ;; OPT PSEUDOSECTION: ; EDNS: version: 0, flags:; udp: 512 ;; QUESTION SECTION: ;nic.cz. IN A ;; ANSWER SECTION: nic.cz. 993 IN A 217.31.205.50 ;; Query time: 23 msec ;; SERVER: 8.8.8.8#53(8.8.8.8) ;; WHEN: Wed Dec 11 14:51:10 CET 2013 ;; MSG SIZE rcvd: 51 As you can see, the 8.8.8.8 server sets the AD flag in the response. Is this a bug or am I doing something wrong? Thanks! Regards, Tomas Hozza _______________________________________________ Dnsmasq-discuss mailing list Dnsmasq-discuss@lists.thekelleys.org.uk http://lists.thekelleys.org.uk/mailman/listinfo/dnsmasq-discuss