On 19/07/18 23:40, Jeff Kopera wrote:
> Hi,
> 
> I am wondering if it is possible to use dnsmasq to store SSHFP records
> and then make use of them when using ssh with the VerifyHostKeyDNS=yes
> option.
> 
> I'm able to get the SSHFP into dnsmasq making use of dns-rr, but when I
> run ssh I get told that the fingerprint is insecure. I know if I were
> using bind I would be required to generate a ZSK and a KSK and sign the
> zone. I was wondering if there was an analogous process for dnsmasq.
> It's looking to me like this may be possible by adding more dns-rr
> records, but it's unclear to me what I need to add, I expect at a
> minimum DNSKEY and RRSIG.
> 
> Thanks for any help you can provide.

The DNSSEC support in dnsmasq is to do with validating DNSSEC
signatures, there's no support for signing a zone or providing DNSSEC
signed answers to local zones, sorry.


Cheers,

Simon


_______________________________________________
Dnsmasq-discuss mailing list
Dnsmasq-discuss@lists.thekelleys.org.uk
http://lists.thekelleys.org.uk/mailman/listinfo/dnsmasq-discuss

Reply via email to