Hi again,

> OK. scratch that. Looks like we just captured an irrelevant key-rollover.
> 
> The problem here is that the reply to the original query contains an
> unsigned RRset of NS records in the auth section. Said NS records are in
> a signed zone, which flags them as bogus. As far as I can see, that's
> correct for records in the answer section, but for records in the auth
> section, it merely renders the reply as insecure. That would seem to
> make the AD bit rather useless, but I guess it's useless anyway.....
> 
> 
> http://thekelleys.org.uk/gitweb/?p=dnsmasq.git;a=commit;h=69a0477b741c1f8195c64417fec4a92a50c9291a
> 
> Attempts to fix this.
> 
> Thanks again for your work testing and diagnosing this.

I can confirm that Dnsmasq 69a0477 resolves www.linuxquestions.org and 
www.ipv6.org.uk as expected (DNSSEC state insecure). Great work, thanks!

Tore


_______________________________________________
Dnsmasq-discuss mailing list
Dnsmasq-discuss@lists.thekelleys.org.uk
http://lists.thekelleys.org.uk/mailman/listinfo/dnsmasq-discuss

Reply via email to