On 09/28/2018 06:46 PM, Simon Kelley wrote:
On 28/09/18 23:07, Marc Heckmann wrote:
Very nice, I will test this.

I am curious though: what will be used for the NS record if the
auth-server configuration is omitted?

It appears to return an NS record of "." ie the DNS root. Which is not
particularly sensible. This may need some more thought....



On Fri, Sep 28, 2018 at 4:42 PM Simon Kelley <si...@thekelleys.org.uk
<mailto:si...@thekelleys.org.uk>> wrote:

     On 28/09/18 02:33, Marc Heckmann wrote:
     > Hello,
     > I'm currently running dnsmasq in a Docker container and have setup a
     > domain for which dnsmasq is to be authoritative for. This is to do
     > subdomain delegation to the dnsmasq server. I am using the
     auth-server &
     > auth-zone configuration options for this. This works as expected
     and is
     > verifiable using dig with the "+norecurse" option to query for the NS
     > and SOA records. However, as it's a Docker container, I only have and
     > actually need a single interface (eth0) and when I specify eth0 in the
     > "auth-server" option, i.e "auth-server=<glue_record>,eth0", I noticed
     > that it stops answering recursive queries for names that it is not
     > authoritative for.
     > I worked around this by replacing "eth0" with an IP that is not
     > in the container's network namespace and dnsmasq now does what I want
     > which is to answer to both non-recursive and recursive queries
     from the
     > same interface.
     > My question is the following: Are there any side effects to this hack?
     > Is there any reason why dnsmasq should not be able to provide
     > and authoritative service from the same interface? I can
     understand the
     > security reasons for wanting to prevent this on an Internet exposed
     > interface, but why not at allow for an option to officially support
     > providing both kinds of service on the same interface?
     > Thanks.
     > -m

     This patch, in the pending 2.80 release, addresses this, is allows you
     to omit the auth-server configuration and get both recursive and
     authoritative answers on the interface(s) that dnsmasq is listening on.


In other software something like the following makes a reasonable non-functioning default, when things go wrong. It terminates locally instead of whatever root-as-NS will cause.
7200 IN SOA localhost. nobody.invalid. 1 3600 1200 9600 300
7200 IN NS localhost.

Dnsmasq-discuss mailing list

Reply via email to