Re: [Dnsmasq-discuss] dnskey
On 29/01/14 19:30, e9hack wrote: How must I define a dnskey? Help shows: --dnskey=domain,algo,key Specify trust anchor DNSKEY I retrieve the trust anchor DNSKEY for the de zone with dig +multiline de dnskey ; DiG 9.7.6-P4 +multiline de dnskey ;; global options: +cmd ;; Got answer: ;; -HEADER- opcode: QUERY, status: NOERROR, id: 29712 ;; flags: qr rd ra; QUERY: 1, ANSWER: 2, AUTHORITY: 0, ADDITIONAL: 0 ;; QUESTION SECTION: ;de.IN DNSKEY ;; ANSWER SECTION: de. 835 IN DNSKEY 256 3 8 ( AwEAAZ3qQoezSnp7jBTIOEp7FGWi7ONawnSRKH+YKCIN 2lfos1JTOA4+3tEKaJ8RJ2PYExqsQqvD/JpMAmD26BrM UGUm4CXvbDy3bHcTP4dEuDCehZEbjDZIrK5zBaueS8qA 5rnLbe9s/mFxexIiXl8FaCLeXqxWI6S0F5uJYOKqBxAF ) ; key id = 60408 de. 835 IN DNSKEY 257 3 8 ( AwEAAYbcKo2IA8l6arSIiSC+l97v2vgNXrxjBJK+XkX5 FYMPDfr2QgtUMHfjLPfMKiSxEXT0uL+SucI1ohv5I0C/ pgz9e9NFDhMCpHLPA5s9LIzQMHEs7Y+idlsRnBKe9Kw/ B1RxzSZKxMd8UyAeA6j0vlZIKrokc1nr4ouvDhoYR3JD d7vCcvV08EIuaPgL0ijUYk071OOjRFG+waRZnVPAwFZs gDIgBJqDl/nRVRBI8k3YFVPka6Rls/EIDYloqG+X5VZC /VXbBb7fams8misz3MsLeVy/fiH0j8SJMAZSbQxqo+/z WUJogl4Tyb5TbT1LRTfbyxII2zQ/ATXocWOohSU= ) ; key id = 24220 ;; Query time: 14 msec ;; SERVER: 192.168.101.1#53(192.168.101.1) ;; WHEN: Wed Jan 29 19:21:18 2014 ;; MSG SIZE rcvd: 444 The second key is the trust anchor DNSKEY, right? If I set something like this: --dnskey=de,8,AwEAAYbcKo2IA8l6arSIiSC+l97v2vgNXrxjBJK+XkX5FYMPDfr2QgtUMHfjLPfMKiSxEXT0uL+SucI1ohv5I0C/pgz9e9NFDhMCpHLPA5s9LIzQMHEs7Y+idlsRnBKe9Kw/B1RxzSZKxMd8UyAeA6j0vlZIKrokc1nr4ouvDhoYR3JDd7vCcvV08EIuaPgL0ijUYk071OOjRFG+waRZnVPAwFZsgDIgBJqDl/nRVRBI8k3YFVPka6Rls/EIDYloqG+X5VZC/VXbBb7fams8misz3MsLeVy/fiH0j8SJMAZSbQxqo+/zWUJogl4Tyb5TbT1LRTfbyxII2zQ/ATXocWOohSU= I get the error 'bad DNSKEY'. Regards, Hartmut You need the flags field, 257 too --dnskey=de,257,8,AwEAAYbcKo. (I missed out the protocol field, since it's defined to always and forever have value 3) I'm about to add a new file to the git repo, called trust-anchors.conf, which has the root trust anchors in it. Just add conf-file=/path/to/trust-anchors.conf to your existing configuration, and all you trust will be anchored. Cheers, Simon. ___ Dnsmasq-discuss mailing list Dnsmasq-discuss@lists.thekelleys.org.uk http://lists.thekelleys.org.uk/mailman/listinfo/dnsmasq-discuss ___ Dnsmasq-discuss mailing list Dnsmasq-discuss@lists.thekelleys.org.uk http://lists.thekelleys.org.uk/mailman/listinfo/dnsmasq-discuss
Re: [Dnsmasq-discuss] coping with ipv6 source routing and dns
On 29/01/14 19:22, Dave Taht wrote: I have been (mostly) happily fiddling with my new comcast ipv6 connection, trying to route all dns queries over ipv6 in particular, by disabling requesting the ipv4 dns addrs and relying on the dhcpv6 request to succeed. config interface eth0 option 'ifname' 'eth0' option 'proto' 'dhcp' option 'peerdns' '0' config interface wan6 option ifname @eth0 option protodhcpv6 option 'broadcast' '1' option 'metric' '2048' works. yea! no more nat holes for ipv4 dns. Problem is, I also have a hurricane electric tunnel. When I try to use both, addresses from one get used on the other and dns forward lookups fail. I think the right answer is to abandon resolv.conf.auto and instead explicitly assign ipv6 source addrs in dnsmasq... server=2001:558:feed::1@:comcast:assigned:ipv6:address server=2001:558:feed::2@:comcast.assigned:ipv6:address server=2001:470:20::2@my:hurricane:assigned:ipv6:address yes? (I'll be trying this in a bit) One thing of possible useful note is that (yea!) we can just select some arbitrary new ipv6 address within the assigned range, add it to the local dnsmasq server box, and source dns lookups from that, using up just that port space. then my own /etc/resolv.conf just points to localhost for hm.armory.com, so I fix that with server=/hm.armory.com/172.26.3.1/ server=/wifi.armory.com/172.26.2.1/ But this doesn't help in terms of reverse lookups (I think), where I might or might not have my own delegated subdomain. from someoption= comcast.assigned.ipv6.address.range/60 lookup via 2001:558:feed::1 or ::2 someoption= he.assigned.ipv6.address.range/48 lookup via 2001:470:20::2 I'm not sure I follow all of this, but for reverse DNS something like server=/hex, lots of hex.ip6.arpa/2001:558:feed::1 Will work. ? and then there's splitting dns... where I might want nuc.hm.armory.com s available to the outside universe. somehow. Have you looked at the dnsmasq auth stuff for this? Simon. ? My brain hurts. ___ Dnsmasq-discuss mailing list Dnsmasq-discuss@lists.thekelleys.org.uk http://lists.thekelleys.org.uk/mailman/listinfo/dnsmasq-discuss
Re: [Dnsmasq-discuss] Always Ignore Client Identifier
On 29/01/14 18:04, Linux Luser wrote: We have a pretty tightly-controlled private network environment which we've configured to have a 1-to-1-to-1 relationship between client MAC address, hostnames and IP addresses. Apart from guest IP ranges, we have control over when clients get added to the network. Thus, we can detect duplicate MAC addresses before it becomes an issue. In this setup, we can't need or want to use the client identifier option of DHCP. In fact, it becomes a problem when we start doing PXELinux installs, where a different client id gets sets during a remote install session, then when the install is complete and the new OS boots up, it gets a different IP address (because dnsmasq still knows about the lease it gave that same machine only 10 minutes ago!). To get rid of this issue, we now supply a dhcp-host option to dnsmasq each time we want to do a remote reinstall. The option looks something like this: dhcp-host=MAC addr,id:*,hostname,IP addr,set:install This works, since the id:* part tells dnsmasq to ignore the client ID in favor of the MAC address. But now to my question. Can this be done for ALL DHCP requests? Is there a global identify-by-mac-only option? If not, would you be willing to entertain the idea. I know many others have done this for some time now, using other DHCP server software, so I know it's possible and there doesn't seem to be any ill effects of this.# There isn't a global option to do this, but there is precedent, in the form of --dhcp-ignore-names for adding it, and actually that's something more useful, since the tag system allows the setting to be applied to classes of clients (which could, of course, be all clients) Maybe this is not a good idea? Like I said, we have a fairly controlled environment, so it would work for us. I could see how this would be unnecessary for common setups, though. Or environments that have many VMs running on a single host and simply bridge their network interface may want to use the client identifier option so each VM gets a unique IP even if they're running on the same machine or t But it would be nice to have a greater level of control over this. Thanks for your time. And GREAT piece of software, by the way. dnsmasq is a HUGE time saver and makes changing configurations straight-forward. Do you accept donations? :) Donations by Paypal to si...@thekelleys.org.uk are always welcome, or you could commission me to add new features. I'm available for that on a consultancy basis, cheaper for stuff which goes back into the dnsmasq GPL codebase, more expensive for proprietary code. Cheers, Simon. -- daV.e ___ Dnsmasq-discuss mailing list Dnsmasq-discuss@lists.thekelleys.org.uk http://lists.thekelleys.org.uk/mailman/listinfo/dnsmasq-discuss ___ Dnsmasq-discuss mailing list Dnsmasq-discuss@lists.thekelleys.org.uk http://lists.thekelleys.org.uk/mailman/listinfo/dnsmasq-discuss
Re: [Dnsmasq-discuss] coping with ipv6 source routing and dns
On Thu, Jan 30, 2014 at 1:57 AM, Simon Kelley si...@thekelleys.org.uk wrote: On 29/01/14 19:22, Dave Taht wrote: I have been (mostly) happily fiddling with my new comcast ipv6 connection, trying to route all dns queries over ipv6 in particular, by disabling requesting the ipv4 dns addrs and relying on the dhcpv6 request to succeed. config interface eth0 option 'ifname' 'eth0' option 'proto' 'dhcp' option 'peerdns' '0' config interface wan6 option ifname @eth0 option protodhcpv6 option 'broadcast' '1' option 'metric' '2048' works. yea! no more nat holes for ipv4 dns. Problem is, I also have a hurricane electric tunnel. When I try to use both, addresses from one get used on the other and dns forward lookups fail. I think the right answer is to abandon resolv.conf.auto and instead explicitly assign ipv6 source addrs in dnsmasq... server=2001:558:feed::1@:comcast:assigned:ipv6:address server=2001:558:feed::2@:comcast.assigned:ipv6:address server=2001:470:20::2@my:hurricane:assigned:ipv6:address To try to explain the reasoning for this better, the first two servers refuse requests from an address range assigned the third. This is probably because the first two are not open resolvers. yes? (I'll be trying this in a bit) One thing of possible useful note is that (yea!) we can just select some arbitrary new ipv6 address within the assigned range, add it to the local dnsmasq server box, and source dns lookups from that, using up just that port space. then my own /etc/resolv.conf just points to localhost for hm.armory.com, so I fix that with server=/hm.armory.com/172.26.3.1/ server=/wifi.armory.com/172.26.2.1/ But this doesn't help in terms of reverse lookups (I think), where I might or might not have my own delegated subdomain. from someoption= comcast.assigned.ipv6.address.range/60 lookup via 2001:558:feed::1 or ::2 someoption= he.assigned.ipv6.address.range/48 lookup via 2001:470:20::2 I'm not sure I follow all of this, but for reverse DNS something like server=/hex, lots of hex.ip6.arpa/2001:558:feed::1 Will work. Syntactically having to have a tool to reverse the domain is a pita, what I'd like is reverse=#260x:x:y:z::/60#2001:558:feed::1# ? and then there's splitting dns... where I might want nuc.hm.armory.com s available to the outside universe. somehow. Have you looked at the dnsmasq auth stuff for this? head, hurting. Simon. ? My brain hurts. ___ Dnsmasq-discuss mailing list Dnsmasq-discuss@lists.thekelleys.org.uk http://lists.thekelleys.org.uk/mailman/listinfo/dnsmasq-discuss -- Dave Täht Fixing bufferbloat with cerowrt: http://www.teklibre.com/cerowrt/subscribe.html ___ Dnsmasq-discuss mailing list Dnsmasq-discuss@lists.thekelleys.org.uk http://lists.thekelleys.org.uk/mailman/listinfo/dnsmasq-discuss
Re: [Dnsmasq-discuss] coping with ipv6 source routing and dns
On 01/30/2014 11:40 AM, Dave Taht wrote: ? and then there's splitting dns... where I might want nuc.hm.armory.com s available to the outside universe. somehow. Have you looked at the dnsmasq auth stuff for this? head, hurting. hope a real-life example helps :) $ cat /etc/dnsmasq.conf enable-ra dhcp-range=lan, 2a00:1508:1:f004::, ra-names dhcp-option=option6:domain-search,red.deltalibre.org.ar ### up until here, simply send RAs on the local network, ### and tell clients the domain they belong to ### tun6 is a tunnel interface to a public v6 broker auth-server=gw-red.deltalibre.org.ar,tun6 auth-zone=red.deltalibre.org.ar,2a00:1508:1:f004::/64 auth-sec-servers=dnsrelay1.altermundi.net # Let others cache our /etc/hosts and dhcp.lease info auth-ttl=602 with that configuration, here are some queries $ dig gw-red.deltalibre.org.ar @8.8.8.8 +all ;; Got answer: ;; -HEADER- opcode: QUERY, status: NOERROR, id: 5279 ;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 0 ;; QUESTION SECTION: ;gw-red.deltalibre.org.ar. IN ;; ANSWER SECTION: gw-red.deltalibre.org.ar. 7200 IN 2a00:1508:1:f004::1 ;; Query time: 2626 msec ;; SERVER: 8.8.8.8#53(8.8.8.8) ;; WHEN: Thu Jan 30 16:38:48 2014 ;; MSG SIZE rcvd: 70 $ dig ns red.deltalibre.org.ar @8.8.8.8 +all ;; Got answer: ;; -HEADER- opcode: QUERY, status: NOERROR, id: 34645 ;; flags: qr rd ra; QUERY: 1, ANSWER: 2, AUTHORITY: 0, ADDITIONAL: 0 ;; QUESTION SECTION: ;red.deltalibre.org.ar. IN NS ;; ANSWER SECTION: red.deltalibre.org.ar. 602 IN NS gw-red.deltalibre.org.ar. red.deltalibre.org.ar. 602 IN NS dnsrelay1.altermundi.net. ;; Query time: 568 msec ;; SERVER: 8.8.8.8#53(8.8.8.8) ;; WHEN: Thu Jan 30 16:39:01 2014 ;; MSG SIZE rcvd: 98 That unusual TTL lets you tell apart which replies originated on my dnsmasq instance. dnsrelay[12].altermundi.net are bind servers, elsewhere, which hold the NS record of red.deltalibre.org.ar pointing to gw-red host as well as the glue record shown in the first query (gw-red.deltalibre.org.ar. 7200 IN 2a00:1508:1:f004::1) [right now dnsrelay1.altermundi.net ipv4 is down :c so queries fail randomly when asking 8.8.8.8 depending on whether it tries to recurse to dnsrelay1 (down) or gw-red (up, ipv6-only) ] but feel free to poke 2a00:1508:1:f004::1 directly cheers! gui Simon. ? My brain hurts. ___ Dnsmasq-discuss mailing list Dnsmasq-discuss@lists.thekelleys.org.uk http://lists.thekelleys.org.uk/mailman/listinfo/dnsmasq-discuss ___ Dnsmasq-discuss mailing list Dnsmasq-discuss@lists.thekelleys.org.uk http://lists.thekelleys.org.uk/mailman/listinfo/dnsmasq-discuss