openbsd 5.4: pkg_add libnettle (ewwwwwwwww) [make] $ ./src/dnsmasq --version Dnsmasq version 2.69rc1 Copyright (c) 2000-2014 Simon Kelley Compile time options: IPv6 GNU-getopt no-DBus no-i18n no-IDN DHCP DHCPv6 no-Lua TFTP no-conntrack no-ipset auth DNSSEC
Would you please explain why the dependencies with <nettle> , cant we use the crypto of openSSH ? Here's the running setup : - - - - - - - - - - root 31974 0.0 0.1 992 1304 p5 I+ 6:40PM 0:00.01 dnsmasq -d -C /etc/dnsmasq.conf --log-queries # cat /etc/dnsmasq.conf domain-needed bogus-priv # Uncomment these to enable DNSSEC validation and caching: # (Requires dnsmasq to be built with DNSSEC option.) conf-file=/etc/trust-anchors.conf dnssec filterwin2k # cat /etc/trust-anchors.conf # The root DNSSEC trust anchor, valid as at 30/01/2014 # Note that this is a DS record (ie a hash of the root Zone Signing Key) # If was downloaded from https://data.iana.org/root-anchors/root-anchors.xml trust-anchor=.,19036,8,2,49AAC11D7B6F6446702E54A1607371607A1A41855200FD2CE1CDDE32F24E8FB5 - - - - - - - - - - and a request output : dnsmasq: query[A] google.fr from 10.0.0.42 dnsmasq: forwarded google.fr to 8.8.8.8 dnsmasq: validation result is INSECURE dnsmasq: reply google.fr is 173.194.34.183 dnsmasq: reply google.fr is 173.194.34.191 dnsmasq: reply google.fr is 173.194.34.184 dnsmasq: query[AAAA] google.fr from 10.0.0.42 dnsmasq: forwarded google.fr to 8.8.8.8 dnsmasq: validation result is INSECURE dnsmasq: reply google.fr is 2a00:1450:4009:805::1017 dnsmasq: query[MX] google.fr from 10.0.0.42 dnsmasq: forwarded google.fr to 8.8.8.8 dnsmasq: validation result is INSECURE dnsmasq: forwarded thekelleys.org to 8.8.8.8 dnsmasq: validation result is INSECURE dnsmasq: reply thekelleys.org is 216.239.32.21 dnsmasq: reply thekelleys.org is 216.239.34.21 dnsmasq: reply thekelleys.org is 216.239.36.21 dnsmasq: reply thekelleys.org is 216.239.38.21 dnsmasq: query[AAAA] thekelleys.org from 10.0.0.42 dnsmasq: forwarded thekelleys.org to 8.8.8.8 dnsmasq: validation result is INSECURE dnsmasq: reply thekelleys.org is NODATA-IPv6 dnsmasq: query[MX] thekelleys.org from 10.0.0.42 dnsmasq: forwarded thekelleys.org to 8.8.8.8 dnsmasq: validation result is INSECURE Best regards, On Sat, Mar 22, 2014 at 4:03 PM, Simon Kelley <si...@thekelleys.org.uk> wrote: > It's time to start the release process for 2.69 > > The big new for this release is DNSSEC validation. I've made a first > release-candidate, available at > > http://www.thekelleys.org.uk/dnsmasq/release-candidates/dnsmasq-2.69rc1.tar.gz > > Please run it if you can, and report any problems. If you can configure > DNSSEC and test that, all the better. CHANGELOG attached below. > > > Cheers, > > > Simon. > > ----------------------------------------------------------------------------- > > Implement dynamic interface discovery on *BSD. This allows > the contructor: syntax to be used in dhcp-range for DHCPv6 > on the BSD platform. Thanks to Matthias Andree for > valuable research on how to implement this. > > Fix infinite loop associated with some --bogus-nxdomain > configs. Thanks fogobogo for the bug report. > > Fix missing RA RDNS option with configuration like > --dhcp-option=option6:23,[::] Thanks to Tsachi Kimeldorfer > for spotting the problem. > > Add [fd00::] and [fe80::] as special addresses in DHCPv6 > options, analogous to [::]. [fd00::] is replaced with the > actual ULA of the interface on the machine running > dnsmasq, [fe80::] with the link-local address. > Thanks to Tsachi Kimeldorfer for championing this. > > DNSSEC validation and caching. Dnsmasq needs to be > compiled with this enabled, with > > make dnsmasq COPTS=-DHAVE_DNSSEC > > this add dependencies on the nettle crypto library and the > gmp maths library. It's possible to have these linked > statically with > > make dnsmasq COPTS='-DHAVE_DNSSEC -DHAVE_DNSSEC_STATIC' > > which bloats the dnsmasq binary to over a megabyte, but > saves the size of the shared libraries which are five > times that size. > To enable, DNSSEC, you will need a set of > trust-anchors. Now that the TLDs are signed, this can be > the keys for the root zone, and for convenience they are > included in trust-anchors.conf in the dnsmasq > distribution. You should of course check that these are > legitimate and up-to-date. So, adding > > conf-file=/path/to/trust-anchors.conf > dnssec > > to your config is all thats needed to get things > working. The upstream nameservers have to be DNSSEC-capable > too, of course. Many ISP nameservers aren't, but the > Google public nameservers (8.8.8.8 and 8.8.4.4) are. > When DNSSEC is configured, dnsmasq validates any queries > for domains which are signed. Query results which are > bogus are replaced with SERVFAIL replies, and results > which are correctly signed have the AD bit set. In > addition, and just as importantly, dnsmasq supplies > correct DNSSEC information to clients which are doing > their own validation, and caches DNSKEY, DS and RRSIG > records, which significantly improve the performance of > downstream validators. Setting --log-queries will show > DNSSEC in action. > > The development of DNSSEC in dnsmasq was started by > Giovanni Bajo, to whom huge thanks are owed. It has been > supported by Comcast, whose techfund grant has allowed for > an invaluable period of full-time work to get it to > a workable state. > > Add --rev-server. Thanks to Dave Taht for suggesting this. > > Add --servers-file. Allows dynamic update of upstream > servers full access to configuration. > > Add --local-service. Accept DNS queries only from hosts > whose address is on a local subnet, ie a subnet for which > an interface exists on the server. This option > only has effect if there are no --interface --except- > interface, --listen-address or --auth-server options. It is > intended to be set as a default on installation, to allow > unconfigured installations to be useful but also safe from > being used for DNS amplification attacks. > > Fix crashes in cache_get_cname_target() when dangling CNAMEs > encountered. Thanks to Andy and the rt-n56u project for > find this and helping to chase it down. > > > > _______________________________________________ > Dnsmasq-discuss mailing list > Dnsmasq-discuss@lists.thekelleys.org.uk > http://lists.thekelleys.org.uk/mailman/listinfo/dnsmasq-discuss -- --------------------------------------------------------------------------------------------------------------------- () ascii ribbon campaign - against html e-mail /\ _______________________________________________ Dnsmasq-discuss mailing list Dnsmasq-discuss@lists.thekelleys.org.uk http://lists.thekelleys.org.uk/mailman/listinfo/dnsmasq-discuss