On 10/09/14 22:50, Filippo Valsorda wrote: > On Wed, Sep 10, 2014 at 2:05 PM, Simon Kelley <si...@thekelleys.org.uk> wrote: >> On 10/09/14 00:34, Filippo Valsorda wrote: >>> DS records are a ugly special case in DNSSEC, and they are kept not by >>> the zone NS but by the one on top of it. >>> >>> So when faced with a config like >>> >>> server=8.8.8.8 >>> server=/ietf.org/64.170.98.2 >>> >>> a A request for ietf.org should go to 64.170.98.2 but a DS request for >>> ietf.org should go to 8.8.8.8. Otherwise it won't be possible to >>> verify a DNSSEC chain. >>> >>> Attached is a patch that works but is horrible. Don't merge it. >>> >>> Please cc me in replies. Thanks for the project! >>> >> >> That's a very good point. I'm not sure that this has ever been a problem >> in reality, because the server given in eg >> >> server=/ietf.org/64.170.98.2 >> >> has to be a recursive server, so it should still be able to answer the >> query for the DS record, by recursing the query to the next zone up. > > Why does it have to be a recursive server? I'm really happy using > dnsmasq to bind a domain to its authoritative server. Like a dynamic > /etc/hosts file. The only problem I encountered doing this is with the > DS records, but it's the spec fault ^^
I guess it doesn't have to be a recursive server, but it nearly always is, which is important when you have to worry about how big a problem this is. Is your solution a complete one? What happens to a query for (eg) DS www.ietf.org Cheers, Simon. >> In fact, my guess is that very, very, few people have ever tried to do >> DNSSEC with servers for particular zones. It's usually used to handle >> private domains that aren't in the "global" DNS, - and very few of those >> will be DNSSEC enabled. >> >> >> Cheers, >> >> Simon. >> > > I second that it's more of a development setup, but I still think this > is a bug :) > _______________________________________________ Dnsmasq-discuss mailing list Dnsmasq-discuss@lists.thekelleys.org.uk http://lists.thekelleys.org.uk/mailman/listinfo/dnsmasq-discuss