Re: [Dnsmasq-discuss] DNSSEC passtrough

2018-07-03 Thread Petr Menšík
Thank you for looking into this Simon. On 06/29/2018 03:47 PM, Simon Kelley wrote: > Dnsmasq does pass on the do-bit, and return DNSSEC RRs, irrespective of > of having DNSSEC validation compiled in or enabled. Sure, this is true. Dnsmasq will pass DO bit from query. I think my issue is, once

Re: [Dnsmasq-discuss] DNSSEC passtrough

2018-06-29 Thread Simon Kelley
Dnsmasq does pass on the do-bit, and return DNSSEC RRs, irrespective of of having DNSSEC validation compiled in or enabled. The thing to understand here is that the cache does not store all the DNSSEC RRs, and dnsmasq doesn't have the (very complex) logic required to determine the set of DNSSEC

[Dnsmasq-discuss] DNSSEC passtrough

2018-06-29 Thread Petr Menšík
Hi Simon and others! I am thinking about dnssec support of dnsmasq. Is it possible to enable dnssec support, but disable dnssec validation at the same time? Bind for example have options dnssec-enable and dnssec-validation. There is option proxy-dnssec, but I think it only copies AD flag in