On 24/03/14 17:45, sven falempin wrote: > openbsd 5.4: pkg_add libnettle (ewwwwwwwww) > [make] > $ ./src/dnsmasq --version > Dnsmasq version 2.69rc1 Copyright (c) 2000-2014 Simon Kelley > Compile time options: IPv6 GNU-getopt no-DBus no-i18n no-IDN DHCP > DHCPv6 no-Lua TFTP no-conntrack no-ipset auth DNSSEC > > Would you please explain why the dependencies with <nettle> , cant we > use the crypto of openSSH ?
To be able to use openSSL, the license for dnsmasq would have to be changed: http://en.wikipedia.org/wiki/OpenSSL#Licensing > > Here's the running setup : > - - - - - - - - - - > root 31974 0.0 0.1 992 1304 p5 I+ 6:40PM 0:00.01 > dnsmasq -d -C /etc/dnsmasq.conf --log-queries > # cat /etc/dnsmasq.conf > domain-needed > bogus-priv > # Uncomment these to enable DNSSEC validation and caching: > # (Requires dnsmasq to be built with DNSSEC option.) > conf-file=/etc/trust-anchors.conf > dnssec > filterwin2k > > # cat /etc/trust-anchors.conf > # The root DNSSEC trust anchor, valid as at 30/01/2014 > > # Note that this is a DS record (ie a hash of the root Zone Signing Key) > # If was downloaded from https://data.iana.org/root-anchors/root-anchors.xml > > trust-anchor=.,19036,8,2,49AAC11D7B6F6446702E54A1607371607A1A41855200FD2CE1CDDE32F24E8FB5 > > > > - - - - - - - - - - > > and a request output : > > dnsmasq: query[A] google.fr from 10.0.0.42 > dnsmasq: forwarded google.fr to 8.8.8.8 > dnsmasq: validation result is INSECURE > dnsmasq: reply google.fr is 173.194.34.183 > dnsmasq: reply google.fr is 173.194.34.191 > dnsmasq: reply google.fr is 173.194.34.184 > dnsmasq: query[AAAA] google.fr from 10.0.0.42 > dnsmasq: forwarded google.fr to 8.8.8.8 > dnsmasq: validation result is INSECURE > dnsmasq: reply google.fr is 2a00:1450:4009:805::1017 > dnsmasq: query[MX] google.fr from 10.0.0.42 > dnsmasq: forwarded google.fr to 8.8.8.8 > dnsmasq: validation result is INSECURE > dnsmasq: forwarded thekelleys.org to 8.8.8.8 > dnsmasq: validation result is INSECURE > dnsmasq: reply thekelleys.org is 216.239.32.21 > dnsmasq: reply thekelleys.org is 216.239.34.21 > dnsmasq: reply thekelleys.org is 216.239.36.21 > dnsmasq: reply thekelleys.org is 216.239.38.21 > dnsmasq: query[AAAA] thekelleys.org from 10.0.0.42 > dnsmasq: forwarded thekelleys.org to 8.8.8.8 > dnsmasq: validation result is INSECURE > dnsmasq: reply thekelleys.org is NODATA-IPv6 > dnsmasq: query[MX] thekelleys.org from 10.0.0.42 > dnsmasq: forwarded thekelleys.org to 8.8.8.8 > dnsmasq: validation result is INSECURE > > That's what I would expect. The google domains are not, in general, signed (neither are most others). My domain is in fact thekelleys.org.uk, but that's not signed either. Try ietf.org or paypal.com or isc.org Note that you may want to add --dnssec-check-unsigned to the configuration. That will cause dnsmasq to ensure that unsigned replies are legit by ensuring that there exists secure denial of existence of a DS record somewhere on the path from the DNS root to the domain. That should be added to the example config file before the final release. Cheers, Simon. _______________________________________________ Dnsmasq-discuss mailing list Dnsmasq-discuss@lists.thekelleys.org.uk http://lists.thekelleys.org.uk/mailman/listinfo/dnsmasq-discuss
