I've been wanting to be able to enable DNSSEC validation for only specific
zones in dnsmasq for some time, and the features added in this commit allow me
to do it!
---
57f0489f384193f7c962fb2a20c9e2e867f86039
Redesign the interaction between DNSSEC vaildation and per-domain servers.
This should just work in all cases now. If the normal chain-of-trust exists into
the delegated domain then whether the domain is signed or not, DNSSEC
validation will function normally. In the case the delgated domain
is an "overlay" on top of the global DNS and no NS and/or DS records
exist connecting it to the global dns, then if the domain is
unsigned the situation will be handled by synthesising a
proof-of-non-existance-of-DS for the domain and queries will be
answered unvalidated; this action will be logged. A signed domain
without chain-of-trust can be validated if a suitable trust-anchor
is provided using --trust-anchor.
Thanks to Uwe Kleine-König for prompting this change, and contributing
valuable insights into what could be improved.
---
I tested this version of dnsmasq on my laptop at a hotel; the hotel's resolver
returns RRSIG RRs when requested, but does not return DS or DNSKEY RRs when
requested, so I cannot enable DNSSEC validation for all zones because any
signed zone would result in failure. However, I've got a personal zone that I
want validated responses from (so that OpenSSH can trust the AD bit and use
SSHFP records), and I've included a trust-anchor for that zone in the dnsmasq
configuration.
---
no-daemon
port=9953
no-resolv
dnssec
trust-anchor=.
server=/./10.1.10.1
trust-anchor=km6g.us,11487,13,2,693434c00cf3f8cdca0a8960f7b6df9913c61e619b2c46d4b10d612a99496b0d
server=/km6g.us/fddd:a03f:2620:189::6e
---
I've also included a 'server' setting to forward queries for that zone to its
hidden primary auth server, for cases where the local resolver from the
hotel/etc. won't even return RRSIG RRs when requested.
This works smoothly; the NTA for the root zone stops validation for any zone
except km6g.us, and the TA for that zone allows validation of that zone to work
as desired. Queries for names in that zone return the AD bit as they should.
Now I'll be eagerly anticipating both the release of dnsmasq 2.92 and its
inclusion into OpenWrt :-)
_______________________________________________
Dnsmasq-discuss mailing list
[email protected]
https://lists.thekelleys.org.uk/cgi-bin/mailman/listinfo/dnsmasq-discuss
