Hi again, > OK. scratch that. Looks like we just captured an irrelevant key-rollover. > > The problem here is that the reply to the original query contains an > unsigned RRset of NS records in the auth section. Said NS records are in > a signed zone, which flags them as bogus. As far as I can see, that's > correct for records in the answer section, but for records in the auth > section, it merely renders the reply as insecure. That would seem to > make the AD bit rather useless, but I guess it's useless anyway..... > > > http://thekelleys.org.uk/gitweb/?p=dnsmasq.git;a=commit;h=69a0477b741c1f8195c64417fec4a92a50c9291a > > Attempts to fix this. > > Thanks again for your work testing and diagnosing this.
I can confirm that Dnsmasq 69a0477 resolves www.linuxquestions.org and www.ipv6.org.uk as expected (DNSSEC state insecure). Great work, thanks! Tore _______________________________________________ Dnsmasq-discuss mailing list Dnsmasqfirstname.lastname@example.org http://lists.thekelleys.org.uk/mailman/listinfo/dnsmasq-discuss