Re: [Dnsmasq-discuss] dnssec-check-unsigned failure with v2.73rc9

2015-07-19 Thread Stéphane Guedon
Le dimanche 14 juin 2015 19:44:14, vous avez écrit : Hi, On Sun, Jun 14, 2015 at 9:06 AM, Stéphane Guedon steph...@22decembre.eu wrote: Le vendredi 12 juin 2015, 13:16:09 Maciej Soltysiak a écrit : A user on my service, who has dnssec-check-unsigned enabled gets an unsigned response

Re: [Dnsmasq-discuss] dnssec-check-unsigned failure with v2.73rc9

2015-07-19 Thread Stéphane Guedon
Le dimanche 14 juin 2015 19:44:14, vous avez écrit : Hi, On Sun, Jun 14, 2015 at 9:06 AM, Stéphane Guedon steph...@22decembre.eu wrote: Le vendredi 12 juin 2015, 13:16:09 Maciej Soltysiak a écrit : A user on my service, who has dnssec-check-unsigned enabled gets an unsigned response

Re: [Dnsmasq-discuss] dnssec-check-unsigned failure with v2.73rc9

2015-06-14 Thread Stéphane Guedon
Le vendredi 12 juin 2015, 13:16:09 Maciej Soltysiak a écrit : I think I have discovered what the problem is and it's unlikely to be dnsmasq. What I do is that I have a setup which is basically a split horizon: - users who are not on the service get A record for using.dnscrypt from a DNSSEC

Re: [Dnsmasq-discuss] dnssec-check-unsigned failure with v2.73rc9

2015-06-14 Thread Maciej Soltysiak
Hi, On Sun, Jun 14, 2015 at 9:06 AM, Stéphane Guedon steph...@22decembre.eu wrote: Le vendredi 12 juin 2015, 13:16:09 Maciej Soltysiak a écrit : A user on my service, who has dnssec-check-unsigned enabled gets an unsigned response from a signed zone and the intended reaction of dnsmasq

Re: [Dnsmasq-discuss] dnssec-check-unsigned failure with v2.73rc9

2015-06-14 Thread Maciej Soltysiak
On Fri, Jun 12, 2015 at 10:18 PM, Simon Kelley si...@thekelleys.org.uk wrote: On 12/06/15 12:16, Maciej Soltysiak wrote: I think I have discovered what the problem is and it's unlikely to be dnsmasq. Without doing an exhaustive analysis (I've done too many DNSSEC post-mortems recently)

[Dnsmasq-discuss] dnssec-check-unsigned failure with v2.73rc9

2015-06-12 Thread Maciej Soltysiak
Hi, One of my users raised an issue that using.dnscrypt.pl does not resolve when dnssec-check-unsigned is turned on. I replicated the issue with most recent openwrt Chaos Calmer package: dnsmasq-full. When dnssec and trust anhcor are set and dnssec-check-unsigned is as well, dnsmasq says BOGUS

Re: [Dnsmasq-discuss] dnssec-check-unsigned failure with v2.73rc9

2015-06-12 Thread Maciej Soltysiak
I think I have discovered what the problem is and it's unlikely to be dnsmasq. What I do is that I have a setup which is basically a split horizon: - users who are not on the service get A record for using.dnscrypt from a DNSSEC signed zone - users who are on the service get *a different* A

Re: [Dnsmasq-discuss] dnssec-check-unsigned failure with v2.73rc9

2015-06-12 Thread Simon Kelley
On 12/06/15 12:16, Maciej Soltysiak wrote: I think I have discovered what the problem is and it's unlikely to be dnsmasq. What I do is that I have a setup which is basically a split horizon: - users who are not on the service get A record for using.dnscrypt from a DNSSEC signed zone -