Thank you for looking into this Simon.

On 06/29/2018 03:47 PM, Simon Kelley wrote:
> Dnsmasq does pass on the do-bit, and return DNSSEC RRs, irrespective of
> of having DNSSEC validation compiled in or enabled.
Sure, this is true. Dnsmasq will pass DO bit from query. I think my
issue is, once address is cached, it will serve it from cache only. That
was fixed by your commit, thanks! It did break as soon as first client
asked without DO bit before, until cache record expired. Which was
almost never true for top level domains.
> The thing to understand here is that the cache does not store all the
> DNSSEC RRs, and dnsmasq doesn't have the (very complex) logic required
> to determine the set of DNSSEC RRs required in an answer. Therefore if
> the client wants the DNSSEC RRs, the query can not be answered from the
> cache. When DNSSEC validation is enabled, any query with the do-bit set
> is never answered from the cache, unless the domain is known not to be
> signed: the query is always forwarded. This ensures that the DNSEC RRs
> are included.It would be nice if also DNSSEC were cached. Most dnssec capable
resolvers would probably have its own cache, so it should not be
critical for performance. It is much more important it can work now.

Made new bug on Fedora for it:

> The same thing should be true when DNSSEC validation is not enabled, but
> there's a bug in the logic.
> line 1666 of src/rfc1035.c looks like this
>  if ((crecp->flags & (F_HOSTS | F_DHCP | F_CONFIG)) || !do_bit ||
> !(crecp->flags & F_DNSSECOK))
> { ...answer from cache ... }
> So local stuff (hosts, DHCP, ) get answered. If the do_bit is not set
> then the query is answered, and if the domain is known not to be signed,
> the query is answered.
> Unfortunately, if DNSSEC validation is not turned on then the
> F_DNSSECOK bit is not valid, and it's always zero, so the question
> always gets answered from the cache, even when the do-bit is set.
> This code should look like that at line 1468, dealing with PTR queries
>                 if ((crecp->flags & (F_HOSTS | F_DHCP | F_CONFIG)) ||
>                     !do_bit ||
>                     (option_bool(OPT_DNSSEC_VALID) && !(crecp->flags & 
> where the F_DNSSECOK bit is only used when validation is enabled.
> I think fixing that should make it work the way Petr wants, and I've
> pushed the fix as
Yes it fixed it!

> Cheers,
> Simon.

Petr Menšík
Software Engineer
Red Hat,
email:  PGP: 65C6C973

Dnsmasq-discuss mailing list

Reply via email to