I've got the code I described into dnsmasq. server=/domain/<ip-address>
now disables DNSSEC for queries sent to that server, unless there's a corresponding trust-anchor=domain,....... That all seems to work well, I can delegate to opennic at the TLD-level, rather than the root level. I realised that there's a fundamental problem that all DNSSEC queries to validate a query get send to the same server as the original query. That would break, eg a domain under .free which held a CNAME to another TLD. Fixing that needs some long-overdue code re-writing, which is now in progress. Cheers, Simon. On 12/01/16 10:16, Andre Heider wrote: > On Mon, Jan 11, 2016 at 10:27 PM, Simon Kelley <si...@thekelleys.org.uk> > wrote: >> dig @5.9.49.12 dnskey . | dnssec-dsfromkey -2 -f - . >> >> The -2 flag tells dsfromkey to make the SHA256 hash >> >> . IN DS 7372 8 2 >> 14A2B8CAF58BFAAE0BD7C257488A341FCC542F9F88F0B678D620324CE7B55285 >> >> >> A quick re-format into dnsmasq config format gives us >> >> trust-anchor=.,7372,8,2,14A2B8CAF58BFAAE0BD7C257488A341FCC542F9F88F0B678 >> D620324CE7B55285 > > I knew it was just a hash, but I was too lazy to look up how to get it > into a compatible format :) > dnssec-dsfromkey is the solution, thanks for that info. > > Thanks, > Andre > _______________________________________________ Dnsmasq-discuss mailing list Dnsmasq-discuss@lists.thekelleys.org.uk http://lists.thekelleys.org.uk/mailman/listinfo/dnsmasq-discuss