Hi Simon and others! I am thinking about dnssec support of dnsmasq. Is it possible to enable dnssec support, but disable dnssec validation at the same time? Bind for example have options dnssec-enable and dnssec-validation. There is option proxy-dnssec, but I think it only copies AD flag in replies. The flag itself is worthless I think.
I have one issue with dnsmasq in RHEL. We support special FIPS 140-2 mode with certified crypto libraries. gnutls is certified but nettle alone is not. Current versions in RHEL have disabled DNSSEC support. In Fedora it is enabled. Using gnutls for all crypto operations would make it trusted also. Thing is, we would recommend using certified DNSSEC resolver behind dnsmasq. Problem is that without dnssec support, any server using dnsmasq as caching proxy is not able to validate a single thing. This is often case of libvirt. Libvirt uses dnsmasq for DNS and DHCP. Any virtual machine under it is configured dynamically. But it is impossible to use validating resolver in such machine, like unbound. We use it together with dnssec-trigger to automatically configure from DHCP. Just try dig +dnssec in any libvirt machine. No signatures are included. Secondary problem is that libvirt has currently no was to enable dnssec in its configuration. But that is not to solve here. Is there reason why validation and passing do bit and including signatures in replies is bundled together? I think dnssec support should be enabled by default today. But because dnssec validation can introduce, require cryptography support and configuration of trusted anchors, it is not so wise to enable it by default. Would be patch splitting support for DNSSEC queries and separate validation welcome? What do you think about turning dnssec queries support on by default, so dig +dnssec would pass signatures without additional configuration? -- Petr Menšík Software Engineer Red Hat, http://www.redhat.com/ email: pemen...@redhat.com PGP: 65C6C973 _______________________________________________ Dnsmasq-discuss mailing list Dnsmasqemail@example.com http://lists.thekelleys.org.uk/mailman/listinfo/dnsmasq-discuss