Le dimanche 14 juin 2015 19:44:14, vous avez écrit : > Hi, > > On Sun, Jun 14, 2015 at 9:06 AM, Stéphane Guedon <steph...@22decembre.eu> > > wrote: > > Le vendredi 12 juin 2015, 13:16:09 Maciej Soltysiak a écrit : > > > A user on my service, who has dnssec-check-unsigned enabled gets an > > > unsigned response from a signed zone and the intended reaction of > > > dnsmasq > > > kicks in. > > > > > > Not a bug then. Is my understanding correct? > > > > As far as I understand, I have the same issue (except that dnsmasq itself > > is > > serving the non signed zone and unbound the signed) ! > > > > To solve that, I propose to make the unsigned zone on another domain or > > zone > > than the signed one. > > > > server.domain.org is signed and the public face of your server. > > > > server.intern.domain.org is unsigned. Your users can then use this > > address, > > and the dns can still have different answer depending where they are. > > > > Do you understand me ? > > > > Do you think it is a good idea ? (I am thinking of using it for my case). > > Yes, I understand, I think it would work and it's a clever workaround for > the issue, however in my case it does not help to maintain the end goal > which was to provide authenticated response to that domain so that it is > always trustworthy. > > That actually is becoming a DNSSEC question. Is there a way to provide > split-horizon answers on signed zones? Can one name have 2 different valid > answers and RRSIGs? perhaps if the signature could be for a name/ttl pair, > not just the name and have different ttls on those names? Dunno. > > Perhaps me trying to use dns records to test whether the responses are > coming over dnscrypt or not is flawed in nature. > > Thanks anyway, > Maciej
Actually, it works at first glance (basic resolution and connectivity works), but it fails fast : when you have to work on your website that is hosted on your home server, nothing works anymore ! So I am returning to my previous setup before wondering what I should do. I am going to write an article about this and all the workarounds that have been tried. Maybe it will then give me an idea on the solution. -- The file signature.asc is not attached to be read by you. It's a digital signature by GPG. If you want to know why I use it, and why you should as well, you can read my article there: http://www.22decembre.eu/2015/03/21/introduction-en/
signature.asc
Description: This is a digitally signed message part.
_______________________________________________ Dnsmasq-discuss mailing list Dnsmasq-discuss@lists.thekelleys.org.uk http://lists.thekelleys.org.uk/mailman/listinfo/dnsmasq-discuss