> Do you think there's any chance to solve this correctly without
> switching from dnsmasq to Unbound or the like?
I don't think this is going to be possible.
BTW, AVM seem to have DNSSEC validation on (at least) their 7390 [1].
As somebody with a lot of clout, such as you have at c't :-), I
> FYI: The originator of this tweet just fessed up to me that it was a fake.
I am talking to Marco now [1]. If this really was a fake, he's in trouble!
-JP
[1] https://twitter.com/jpmens/status/649980467928780800
___
Dnsmasq-discuss mailing
> but I cannot find any option for DLV.
ISC will stop accepting domains for DLV in 2016 and will terminate
service alltogether in 2017 [1]
-JP
[1] https://dlv.isc.org
___
Dnsmasq-discuss mailing list
Dnsmasq-discuss@lists.thekelleys.org.uk
One thing to note: I've also completely changed the way the trust
anchors are specified, from DNSKEYS to DS records.
Very nice and, yes, it works. :)
All that's left is to find a way to obtain those securely when dnsmasq
starts up, somewhat in the way unbound-anchor(1) from Unbound does.
Is unbound-anchor fairly stand-alone? Maybe run unbound-anchor and
then covert the format of the resulting trust-anchors file would be
a viable solution?
Fairly, yes, but: if people can run unbound-anchor they have Unbound, so
what would be the point of dnsmasq as a validator? ;-)
-JP
Ooops. Try now.
Very nice, Simon; looks good to me.
-JP
___
Dnsmasq-discuss mailing list
Dnsmasq-discuss@lists.thekelleys.org.uk
http://lists.thekelleys.org.uk/mailman/listinfo/dnsmasq-discuss
I moved forward to test7, and now the FIRST query (the one shipping the
RRSIG and other additional stuff) lacks the AD flag, subsequent
responses carry it.
I cannot confirm that. The first query sets the AD flag (and returns an
RRSIG in the response), and subsequent queries also set AD flag
1. I am getting different results on two subsequent identical queries
WRT RRSIG record and AD flag.
The second answer comes from the cache, and the D0 bit is not set in
the query, so the answer doesn't have the AD flag or RRSIG, if you
add +dnssec to the dig command you should see both in
Relying on round-robin has short-comings: e.g. getaddrinfo() which
obsoletes gethostbyname() orders results. See [1].
-JP
[1]
http://daniel.haxx.se/blog/2012/01/03/getaddrinfo-with-round-robin-dns-and-happy-eyeballs/
___
Dnsmasq-discuss
Is there anyway to update the mailing list to block this repeated spam?
Yes, *please*; it's getting out of hand.
-JP
___
Dnsmasq-discuss mailing list
Dnsmasq-discuss@lists.thekelleys.org.uk
IMHO, no effort is currently necessary.
I follow many mailing-lists, and dnsmasq-discuss is the _only_ one I
follow, in which I see spam.
And I neither use Thunderbird, nor is click here the solution.
-JP
___
Dnsmasq-discuss mailing list
My idea was to use something
more lightweight than bind, since from a featureset point of view, bind
would be really way too big for our purpose, since we basically need
forwarding servers only.
Have you looked at Unbound (unbound.net) ?
-JP
For dnsmasq, I can see that active-passive is easy to do. Take your
diagram above, and delete dnsmasq B. dnsmasq A keeps the tryant instance
A up-to-date with the lease database and that gets replicated to tyrant
B. If dnsmasq A fails, then dnsmasq B is started, intialises its lease
database
relaxing the hex parsing to make colons and leading zeros optional gets
the possibility of something that's almost an natural encoding in this
case, and may be generally useful if less easy to use.
dns-rr=44,2:1:123456789abcdef67890123456789abcdef67890
Opinions?
Go for it!
I recommend
Starting just a few days before the day the machine running dnsmasq in
my SOHO died, I was giving some thought to how I'd go about ensuring
a backup copy of dnsmasq could take over if my only running instance
died. Needless to say, the death of the machine left my small network in
shambles,
1,$s/Tryant/Tyrant/g
-JP
___
Dnsmasq-discuss mailing list
Dnsmasq-discuss@lists.thekelleys.org.uk
http://lists.thekelleys.org.uk/mailman/listinfo/dnsmasq-discuss
I'd suggest SQLite as a possibility. Easy to include, and as they
say: Small. Fast. Reliable. Choose any three.
SQLite was my first option, but it doesn't replicate automatically.
Easy to set up with rsync or something like it, of course, but that
wouldn't enable two dnsmasq servers to consult
keys as SSHFP-Records, so that I'm able to call via ssh
user@remotehost-o VerifyHostKeyDNS=yes and get a result line like
Matching host key
fingerprint found in DNS.
This may or not be painful, if you're not using DNSSEC. (You may like to
glance at a discussion, and the comments, at [1].)
When using dnsmasq to serve dhcp, what option or parameter must be set
in dnsmasq.conf to set which DNS servers the client will use?
dhcp-option=option:dns-server,address
ought to do the trick.
-JP
___
Dnsmasq-discuss mailing list
Maybe take it one step further,
--host-record=address,name[,alias,alias,...] so we can keep the
CNAMEs right there too.
Sounds sensible, as long as multiple --host-record are allowed for one name
(multi-homed, IPv4, IPv6)
-JP
___
which has fixes for everything which has come up so far, including a
crash when only IPv4 DHCP is enabled.
Has been running here flawlessly for a few hours now, including Lua.
Thank you for solving the reported crash. :-)
-JP
___
This has pretty much feature-complete, but very lightly tested DHCPv6
support. I'd really like as much testing of this done as possible.
It works for me with dnsmasq running on Mac OS/X 10.6.8 and a client
using dibbler [1].
Good show, Simon!
-JP
[1] http://klub.com.pl/
22 matches
Mail list logo
