[Dnsmasq-discuss] New DNSSEC test release.
I just pushed out a new 2.69 test release, which completes the DNSSEC feature-set with NSEC3 secure denial of existence. Thanks go to Messrs Hunt, Gieben and Mekking for guiding me through that swamp. If you're interested in DNSSEC, please give this a spin. http://www.thekelleys.org.uk/dnsmasq/test-releases/dnsmasq-2.69test9.tar.gz Cheers, Simon. ___ Dnsmasq-discuss mailing list Dnsmasq-discuss@lists.thekelleys.org.uk http://lists.thekelleys.org.uk/mailman/listinfo/dnsmasq-discuss
[Dnsmasq-discuss] New DNSSEC test release.
I've just tagged 2.69test8, which has some significant fixes to the DNSSEC code. One thing to note: I've also completely changed the way the trust anchors are specified, from DNSKEYS to DS records. If you're using the trust-anchors.conf file I supply, this should be transparent, but if you explicitly configured them, you'll need to change that configuration before the new binary will start succesfully. Cheers, Simon. ___ Dnsmasq-discuss mailing list Dnsmasq-discuss@lists.thekelleys.org.uk http://lists.thekelleys.org.uk/mailman/listinfo/dnsmasq-discuss
Re: [Dnsmasq-discuss] New DNSSEC test release.
One thing to note: I've also completely changed the way the trust anchors are specified, from DNSKEYS to DS records. Very nice and, yes, it works. :) All that's left is to find a way to obtain those securely when dnsmasq starts up, somewhat in the way unbound-anchor(1) from Unbound does. -JP ___ Dnsmasq-discuss mailing list Dnsmasq-discuss@lists.thekelleys.org.uk http://lists.thekelleys.org.uk/mailman/listinfo/dnsmasq-discuss
Re: [Dnsmasq-discuss] New DNSSEC test release.
On 11/02/14 12:10, Jan-Piet Mens wrote: One thing to note: I've also completely changed the way the trust anchors are specified, from DNSKEYS to DS records. Very nice and, yes, it works. :) All that's left I wish, I wish. NSEC3 is still lurking. is to find a way to obtain those securely when dnsmasq starts up, somewhat in the way unbound-anchor(1) from Unbound does. Is unbound-anchor fairly stand-alone? Maybe run unbound-anchor and then covert the format of the resulting trust-anchors file would be a viable solution? Simon. -JP ___ Dnsmasq-discuss mailing list Dnsmasq-discuss@lists.thekelleys.org.uk http://lists.thekelleys.org.uk/mailman/listinfo/dnsmasq-discuss ___ Dnsmasq-discuss mailing list Dnsmasq-discuss@lists.thekelleys.org.uk http://lists.thekelleys.org.uk/mailman/listinfo/dnsmasq-discuss
Re: [Dnsmasq-discuss] New DNSSEC test release.
Is unbound-anchor fairly stand-alone? Maybe run unbound-anchor and then covert the format of the resulting trust-anchors file would be a viable solution? Fairly, yes, but: if people can run unbound-anchor they have Unbound, so what would be the point of dnsmasq as a validator? ;-) -JP ___ Dnsmasq-discuss mailing list Dnsmasq-discuss@lists.thekelleys.org.uk http://lists.thekelleys.org.uk/mailman/listinfo/dnsmasq-discuss