Re: [Dnsmasq-discuss] DNSSEC: Answer for local hosts with AD flag set?
> Do you think there's any chance to solve this correctly without > switching from dnsmasq to Unbound or the like? I don't think this is going to be possible. BTW, AVM seem to have DNSSEC validation on (at least) their 7390 [1]. As somebody with a lot of clout, such as you have at c't :-), I would contact them and politely request they quickly start signing their myfritz platform. Chances are they might even do that. ;-) -JP [1] https://twitter.com/marcodavids/status/649861646232485888 ___ Dnsmasq-discuss mailing list Dnsmasq-discuss@lists.thekelleys.org.uk http://lists.thekelleys.org.uk/mailman/listinfo/dnsmasq-discuss
Re: [Dnsmasq-discuss] DNSSEC: Answer for local hosts with AD flag set?
> FYI: The originator of this tweet just fessed up to me that it was a fake. I am talking to Marco now [1]. If this really was a fake, he's in trouble! -JP [1] https://twitter.com/jpmens/status/649980467928780800 ___ Dnsmasq-discuss mailing list Dnsmasq-discuss@lists.thekelleys.org.uk http://lists.thekelleys.org.uk/mailman/listinfo/dnsmasq-discuss
Re: [Dnsmasq-discuss] DLV and DnsMasq
> but I cannot find any option for DLV. ISC will stop accepting domains for DLV in 2016 and will terminate service alltogether in 2017 [1] -JP [1] https://dlv.isc.org ___ Dnsmasq-discuss mailing list Dnsmasq-discuss@lists.thekelleys.org.uk http://lists.thekelleys.org.uk/mailman/listinfo/dnsmasq-discuss
Re: [Dnsmasq-discuss] New DNSSEC test release.
One thing to note: I've also completely changed the way the trust anchors are specified, from DNSKEYS to DS records. Very nice and, yes, it works. :) All that's left is to find a way to obtain those securely when dnsmasq starts up, somewhat in the way unbound-anchor(1) from Unbound does. -JP ___ Dnsmasq-discuss mailing list Dnsmasq-discuss@lists.thekelleys.org.uk http://lists.thekelleys.org.uk/mailman/listinfo/dnsmasq-discuss
Re: [Dnsmasq-discuss] New DNSSEC test release.
Is unbound-anchor fairly stand-alone? Maybe run unbound-anchor and then covert the format of the resulting trust-anchors file would be a viable solution? Fairly, yes, but: if people can run unbound-anchor they have Unbound, so what would be the point of dnsmasq as a validator? ;-) -JP ___ Dnsmasq-discuss mailing list Dnsmasq-discuss@lists.thekelleys.org.uk http://lists.thekelleys.org.uk/mailman/listinfo/dnsmasq-discuss
Re: [Dnsmasq-discuss] Testers wanted: DNSSEC.
Ooops. Try now. Very nice, Simon; looks good to me. -JP ___ Dnsmasq-discuss mailing list Dnsmasq-discuss@lists.thekelleys.org.uk http://lists.thekelleys.org.uk/mailman/listinfo/dnsmasq-discuss
Re: [Dnsmasq-discuss] Testers wanted: DNSSEC.
I moved forward to test7, and now the FIRST query (the one shipping the RRSIG and other additional stuff) lacks the AD flag, subsequent responses carry it. I cannot confirm that. The first query sets the AD flag (and returns an RRSIG in the response), and subsequent queries also set AD flag (without the RRSIGs in the response). FWIW, I'm using a validating Unbound as upstream resolver, but I've just tested with a validating BIND, and dnsmasq handles both correctly. -JP ___ Dnsmasq-discuss mailing list Dnsmasq-discuss@lists.thekelleys.org.uk http://lists.thekelleys.org.uk/mailman/listinfo/dnsmasq-discuss
Re: [Dnsmasq-discuss] Testers wanted: DNSSEC.
1. I am getting different results on two subsequent identical queries WRT RRSIG record and AD flag. The second answer comes from the cache, and the D0 bit is not set in the query, so the answer doesn't have the AD flag or RRSIG, if you add +dnssec to the dig command you should see both in replies from the cache, I'm seeing the same that Matthias noted: the second response from dnsmasq doesn't have the +AD bit set. FWIW, Unbound and BIND9 both respond with +AD when I query them consecutively with `dig +ad'. Adding +dnssec to the flags upon querying dnsmasq works. -JP ___ Dnsmasq-discuss mailing list Dnsmasq-discuss@lists.thekelleys.org.uk http://lists.thekelleys.org.uk/mailman/listinfo/dnsmasq-discuss
Re: [Dnsmasq-discuss] Round Robin ping
Relying on round-robin has short-comings: e.g. getaddrinfo() which obsoletes gethostbyname() orders results. See [1]. -JP [1] http://daniel.haxx.se/blog/2012/01/03/getaddrinfo-with-round-robin-dns-and-happy-eyeballs/ ___ Dnsmasq-discuss mailing list Dnsmasq-discuss@lists.thekelleys.org.uk http://lists.thekelleys.org.uk/mailman/listinfo/dnsmasq-discuss
Re: [Dnsmasq-discuss] New job vacancy - see details
Is there anyway to update the mailing list to block this repeated spam? Yes, *please*; it's getting out of hand. -JP ___ Dnsmasq-discuss mailing list Dnsmasq-discuss@lists.thekelleys.org.uk http://lists.thekelleys.org.uk/mailman/listinfo/dnsmasq-discuss
Re: [Dnsmasq-discuss] New job vacancy - see details
IMHO, no effort is currently necessary. I follow many mailing-lists, and dnsmasq-discuss is the _only_ one I follow, in which I see spam. And I neither use Thunderbird, nor is click here the solution. -JP ___ Dnsmasq-discuss mailing list Dnsmasq-discuss@lists.thekelleys.org.uk http://lists.thekelleys.org.uk/mailman/listinfo/dnsmasq-discuss
Re: [Dnsmasq-discuss] dnsmasq performance as dns forwarder in larger environments
My idea was to use something more lightweight than bind, since from a featureset point of view, bind would be really way too big for our purpose, since we basically need forwarding servers only. Have you looked at Unbound (unbound.net) ? -JP ___ Dnsmasq-discuss mailing list Dnsmasq-discuss@lists.thekelleys.org.uk http://lists.thekelleys.org.uk/mailman/listinfo/dnsmasq-discuss
Re: [Dnsmasq-discuss] A (possibly bad) idea: failover in dnsmasq
For dnsmasq, I can see that active-passive is easy to do. Take your diagram above, and delete dnsmasq B. dnsmasq A keeps the tryant instance A up-to-date with the lease database and that gets replicated to tyrant B. If dnsmasq A fails, then dnsmasq B is started, intialises its lease database from the tyrant B and is there for clients as they fail to talk to dnsmasq A and start to broadcast. More important dnsmasq B can provide a DNS service with all the clients in it straight away. Understood. This active-passive scheme shouldn't need any dnsmasq changes, and arranging to monitor server instances and start a new one when an existing one goes down is a solved problem: it's exactly what heartbeat does. Building a heartbeat harness to run dnsmasq active-passive and replicated tyrant (or another database) sure looks like a useful thing to try, IMHO. I'll give that a bit of thought. (/dev/rob0's suggestion of using SQLite is suddenly more appealing in this light, as it involves fewer moving parts...) -JP ___ Dnsmasq-discuss mailing list Dnsmasq-discuss@lists.thekelleys.org.uk http://lists.thekelleys.org.uk/mailman/listinfo/dnsmasq-discuss
Re: [Dnsmasq-discuss] dnsmasq and sshfp records
relaxing the hex parsing to make colons and leading zeros optional gets the possibility of something that's almost an natural encoding in this case, and may be generally useful if less easy to use. dns-rr=44,2:1:123456789abcdef67890123456789abcdef67890 Opinions? Go for it! I recommend reading RFC 3597, Section 5 on the text-representation of arbitrary DNS RR types, and if possible lean towards that, making lives of people who copy paste RDATA easier. :) -JP ___ Dnsmasq-discuss mailing list Dnsmasq-discuss@lists.thekelleys.org.uk http://lists.thekelleys.org.uk/mailman/listinfo/dnsmasq-discuss
[Dnsmasq-discuss] A (possibly bad) idea: failover in dnsmasq
Starting just a few days before the day the machine running dnsmasq in my SOHO died, I was giving some thought to how I'd go about ensuring a backup copy of dnsmasq could take over if my only running instance died. Needless to say, the death of the machine left my small network in shambles, because I couldn't connect to anything to fix things without first configuring temporary static addresses; sans DHCP, stuff fails... :) I'm anything but a DHCP specialist, but I want to bounce this idea off you anyway, even if you mind. ;-) The trick, as I understand it, in setting up more than a single dnsmasq instance in a network, is to ensure that it uses --dhcp-script to STORE the leases and --leasefile-ro to force the script to produce a list of current leases (init) from which a launching dnsmasq obtains its data before going on its usual business. If we were able to ensure the data store (i.e. lease database) were available on two machines A and B (and up to date on both of course) the solution would be easy, except for the fact that dnsmasq does not LOOKUP (i.e. query) for a lease in the data store except upon startup. I'm thinking along the lines of having a function lease_query() in lease.c which dnsmasq invokes to determine whether a lease exists before issuing a new lease for a device. Being very lightweight, dnsmasq must not be bloated by having a huge MySQL or other database attached to it. I've been searching the Internets and finally landed upon Tokyo Tryant [1] which I've discussed a long time ago [2]. What I'm basically getting at is providing dnsmasq with an optional very lightweight replicating server which it (optionally) uses to ensure the lease database can be propagated to a second (or third or fourth) dnsmasq instance. The reason I'm suggesting Tryant is that, it too, is lightweight and offers multi-master setups. ++ +-+ | dnsmasq | | dnsmasq| | A | | B | +-+--+ +-+ | + | | | | +-v---+ +--v---+ | Tryant| | Tryant | | A |+- B| | |-+ | +-+ +--+ +-+ +---+ | leases| |leases | |-| |---| +-+ +---+ In other words, dnsmasq (A) reads/writes leases from Tryant (A) and dnsmasq (B) read/writes from/to Tryant (B). If Tryant (A) and (B) can speak to eachother, the database is replicated, irrespective of which dnsmasq (A) or (B) has last written a lease. I'll stop here, before boring you even more, but I'll gladly send you snippets of code and a short howto set up a multi-master system. Most important IMO is to keep things very light-weight in the spirit of dnsmasq. Best regards, -JP [1] http://fallabs.com/tokyocabinet/tokyoproducts.pdf [2] http://jpmens.net/2009/09/06/tokyocabinet-a-wow-replacement-for-dbm/ ___ Dnsmasq-discuss mailing list Dnsmasq-discuss@lists.thekelleys.org.uk http://lists.thekelleys.org.uk/mailman/listinfo/dnsmasq-discuss
Re: [Dnsmasq-discuss] A (possibly bad) idea: failover in dnsmasq
1,$s/Tryant/Tyrant/g -JP ___ Dnsmasq-discuss mailing list Dnsmasq-discuss@lists.thekelleys.org.uk http://lists.thekelleys.org.uk/mailman/listinfo/dnsmasq-discuss
Re: [Dnsmasq-discuss] A (possibly bad) idea: failover in dnsmasq
I'd suggest SQLite as a possibility. Easy to include, and as they say: Small. Fast. Reliable. Choose any three. SQLite was my first option, but it doesn't replicate automatically. Easy to set up with rsync or something like it, of course, but that wouldn't enable two dnsmasq servers to consult the same live data. -JP ___ Dnsmasq-discuss mailing list Dnsmasq-discuss@lists.thekelleys.org.uk http://lists.thekelleys.org.uk/mailman/listinfo/dnsmasq-discuss
Re: [Dnsmasq-discuss] dnsmasq and sshfp records
keys as SSHFP-Records, so that I'm able to call via ssh user@remotehost-o VerifyHostKeyDNS=yes and get a result line like Matching host key fingerprint found in DNS. This may or not be painful, if you're not using DNSSEC. (You may like to glance at a discussion, and the comments, at [1].) Since I've nothing found, seems like dnsmasq doesn't support SSHFP-Records, right ?!?! I don't think this is possible at the moment, but we'll have to ask Simon. Simon? Are you there? :-) -JP [1]: http://jpmens.net/2011/02/18/verifyhostkeydnsmaybe/ ___ Dnsmasq-discuss mailing list Dnsmasq-discuss@lists.thekelleys.org.uk http://lists.thekelleys.org.uk/mailman/listinfo/dnsmasq-discuss
Re: [Dnsmasq-discuss] Setting DNS for DHCP clients
When using dnsmasq to serve dhcp, what option or parameter must be set in dnsmasq.conf to set which DNS servers the client will use? dhcp-option=option:dns-server,address ought to do the trick. -JP ___ Dnsmasq-discuss mailing list Dnsmasq-discuss@lists.thekelleys.org.uk http://lists.thekelleys.org.uk/mailman/listinfo/dnsmasq-discuss
Re: [Dnsmasq-discuss] Feature Request(s)
Maybe take it one step further, --host-record=address,name[,alias,alias,...] so we can keep the CNAMEs right there too. Sounds sensible, as long as multiple --host-record are allowed for one name (multi-homed, IPv4, IPv6) -JP ___ Dnsmasq-discuss mailing list Dnsmasq-discuss@lists.thekelleys.org.uk http://lists.thekelleys.org.uk/mailman/listinfo/dnsmasq-discuss
Re: [Dnsmasq-discuss] dnsmasq-2.60test12
which has fixes for everything which has come up so far, including a crash when only IPv4 DHCP is enabled. Has been running here flawlessly for a few hours now, including Lua. Thank you for solving the reported crash. :-) -JP ___ Dnsmasq-discuss mailing list Dnsmasq-discuss@lists.thekelleys.org.uk http://lists.thekelleys.org.uk/mailman/listinfo/dnsmasq-discuss
Re: [Dnsmasq-discuss] Call for testers DHCPv6 support.
This has pretty much feature-complete, but very lightly tested DHCPv6 support. I'd really like as much testing of this done as possible. It works for me with dnsmasq running on Mac OS/X 10.6.8 and a client using dibbler [1]. Good show, Simon! -JP [1] http://klub.com.pl/ ___ Dnsmasq-discuss mailing list Dnsmasq-discuss@lists.thekelleys.org.uk http://lists.thekelleys.org.uk/mailman/listinfo/dnsmasq-discuss