-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 On 24/03/14 21:13, Toke Høiland-Jørgensen wrote: > Simon Kelley <si...@thekelleys.org.uk> writes: > >> Note that you may want to add --dnssec-check-unsigned to the >> configuration. That will cause dnsmasq to ensure that unsigned >> replies are legit by ensuring that there exists secure denial of >> existence of a DS record somewhere on the path from the DNS >> root to the domain. That should be added to the example config >> file before the final release. > > It's also missing from the man page in the rc... :) > > -Toke > No it isn't.
--dnssec-check-unsigned As a default, dnsmasq does not check that unsigned DNS replies are legitimate: they are assumed to be valid and passed on (without the "authentic data" bit set, of course). This does not protect against an attacker forging unsigned replies for signed DNS zones, but it is fast. If this flag is set, dnsmasq will check the zones of unsigned replies, to ensure that unsigned replies are allowed in those zones. The cost of this is more upstream queries and slower performance. See also the warning about upstream servers in the section on --dnssec Cheers, Simon. -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.11 (GNU/Linux) Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/ iEYEARECAAYFAlMwoQsACgkQKPyGmiibgrfiwwCeK43oBI57+cF2I7E4PJjSRIxq 9xAAnjBk5bTeoYiNWc5ZCBvmNdnH204n =RGFv -----END PGP SIGNATURE----- _______________________________________________ Dnsmasq-discuss mailing list Dnsmasq-discuss@lists.thekelleys.org.uk http://lists.thekelleys.org.uk/mailman/listinfo/dnsmasq-discuss