----- Original Message ----- > I can see at least one bug in the code: in the code-path taken to answer > a query from the cache, the value of the AD flag is never changed: it > simply takes the value that it had in the query. I guess the > "authenticated" status of the data should be cached, and used to provide > this information.
I'm sure there is nothing wrong with caching the AD flag. However as stated in the --proxy-dnssec documentation, dnsmasq as non-validating resolver should not return the AD flag to clients, unless the --proxy-dnssec option is used. > I'm currently deep into work to provide DNSSEC validation in dnsmasq, > and all of this code is therefore subject to massive revision in the > near future. I'll address the behaviour when dnsmasq is NOT validating > itself as part of that work. I can understand that implementing the DNSSEC validation is hard task and requires a lot of time and effort. I can try to come up with a patch for the "AD" flag forwarding if you could agree with me on what is the correct behaviour here. Also what is the role of --proxy-dnssec option. Thanks! Regards, Tomas > > > Cheers, > > > Simon. _______________________________________________ Dnsmasq-discuss mailing list Dnsmasq-discuss@lists.thekelleys.org.uk http://lists.thekelleys.org.uk/mailman/listinfo/dnsmasq-discuss