On 05/02/14 08:58, Matthias Andree wrote:
Am 05.02.2014 09:46, schrieb Simon Kelley:

The second answer comes from the cache, and the D0 bit is not set in the
query, so the answer doesn't have the AD  flag or RRSIG, if you add
"+dnssec" to the dig command you should see both in replies from the cache,

Thank you. You are right, that part of it works.

In fact, dnsmasq forwards queries to FreeBSD's local BIND 9.8.4-P2 that
I configured to also use DNSSEC - the question is if dnscache should
only ever return back what it would also store into the cache.


Regarding query logging, I noticed a difference between BOGUS (known bad
signature) and INSECURE (no signature).  I am not sure if these are
official terms from the RFCs, but even if the INSECURE is ambiguous -
and I would like to propose:

The terms come from RFC4033 section 5, but note that dnsmasq doesn't distinguish between "insecure" and "indeterminate" as defined there. It could do, but at significant performance cost. Currently if dnsmasq gets a reply which has no signature, it determines that it's insecure and does no further processing. To be able to distinguish such an answer between indeterminate and insecure, it would have to follow the chain of trust from the root to find proof of lack of signature of the zone in question. Since the external behaviour of dnsmasq is not affected by the indeterminate/insecure split, that seems somewhat pointless.


1. that the .example configuration file be enhanced with the dnssec
snippet you use in CHANGELOG - feel free to grab the port's patch from
<http://svnweb.freebsd.org/ports/head/dns/dnsmasq-devel/files/patch-dnsmasq.conf.example?revision=342621&view=markup&sortby=date>

Will do.


2. that the relevant query logging diagnostics and possible results for
DNSSEC be documented in the manpage, else this part of the manpage
remains unclear to a user in these respects:
  - what is a reply, what is a response (in technical documentation,
please always use the same word for the same subject)
  - BOGUS and SERVFAIL appear from nowhere without explanation elsewhere
in the manual.

        --dnssec-debug
               Set debugging mode for the DNSSEC validation, set  the  Checking
               Disabled  bit  on  upstream  queries,  and  don't  convert BOGUS
               replies to SERVFAIL responses.


A valid point, this has caused widespread confusion.


Cheers,

Simon.


_______________________________________________
Dnsmasq-discuss mailing list
Dnsmasq-discuss@lists.thekelleys.org.uk
http://lists.thekelleys.org.uk/mailman/listinfo/dnsmasq-discuss



_______________________________________________
Dnsmasq-discuss mailing list
Dnsmasq-discuss@lists.thekelleys.org.uk
http://lists.thekelleys.org.uk/mailman/listinfo/dnsmasq-discuss

Reply via email to