On 17. 04. 23 15:57, Simon Kelley wrote:
On 17/04/2023 01:10, Petr Menšík wrote:
I do not understand why should be proxy-dnssec caching unreliable. It
should be as simple as storing AD bit from the reply in cache entry.
I expect just extra bit is something we can afford.
I explained this s
On 17/04/2023 01:10, Petr Menšík wrote:
I do not understand why should be proxy-dnssec caching unreliable. It
should be as simple as storing AD bit from the reply in cache entry. I
expect just extra bit is something we can afford.
I explained this somewhere up-thread. The problem is that t
I do not understand why should be proxy-dnssec caching unreliable. It
should be as simple as storing AD bit from the reply in cache entry. I
expect just extra bit is something we can afford. Network Manager should
stop passing dnssec-proxy in case it is configured via DBus however. I
think this
Hey Simon,
On Thu, 2023-04-13 at 22:15 +0100, Simon Kelley wrote:
> I'd like to know how EDE replies are being used, and what the changes
> referred to in this statement by Peter are.
>
> "Note that the changes made by the pi-hole developers have been
> implemented in pi-hole-FTL, the dnsmasq co
I'm not clear where the EDE in a reply fits in to this.
--proxy-dnssec does only one thing: it stops dnsmasq from zeroing the
authenticated data (AD) bit in replies before returning them to clients.
This means that clients can rely on the AD bit to tell if the answer is
secure, with a couple o
Hey Peter,
On Thu, 2023-04-13 at 12:15 +0200, Peter Russel wrote:
>
> Dominik, your questions and comments.
>
> Thanks for explaining "add-cpe-id=01234", meaning that it informs
> upstream that it is capable of processing EDNS data, nothing more.
> This implies dnsmasq cannot be the cause of "no
Hi
Simon, you question (summary of what you're trying to achieve)
Obviously, I'm running pihole-FTL, which is dnsmasq + pi-hole features.
- dnsmasq is configured with unbound as upstream
- dnsmasq cache-size= 0
- dnsmasq DNSSEC not enabled
- unbound (latest master compiled) as recursive resolver
Hey Peter,
On Thu, 2023-04-13 at 08:37 +0200, Peter Russel wrote:
> Hi Simon
>
> Unfortunately, it looks like I've been shouting victory a little soon.
>
> The results are perfect when using dig, however, when using a browser
> (firefox, edge) the results are unreliable / inconsistent.
>
> The
On 13/04/2023 07:37, Peter Russel wrote:
Hi Simon
Unfortunately, it looks like I've been shouting victory a little soon.
The results are perfect when using dig, however, when using a browser
(firefox, edge) the results are unreliable / inconsistent.
The assumption is that adding the setting
Hi Simon
Unfortunately, it looks like I've been shouting victory a little soon.
The results are perfect when using dig, however, when using a browser
(firefox, edge) the results are unreliable / inconsistent.
The assumption is that adding the setting "add-cpe-id=01234" ensures
dnsmasq will ALWAY
On 09/04/2023 18:50, Peter Russel wrote:
SOLVED
The developers added code to pihole-FTL, which is the latest dnsmasq +
features (to make pi-hole the better solution).
full story (pi-hole forum) here:
https://discourse.pi-hole.net/t/dnssec-discussion-support-for-proxy-dnssec/62217
That wa
SOLVED
The developers added code to pihole-FTL, which is the latest dnsmasq +
features (to make pi-hole the better solution).
full story (pi-hole forum) here:
https://discourse.pi-hole.net/t/dnssec-discussion-support-for-proxy-dnssec/62217
___
Dnsmasq-
according to this reply
(https://lists.nlnetlabs.nl/pipermail/unbound-users/2023-April/008070.html
(nlnetlabs.nl)) in the unbound mailing list, it should be possible for
proxy-dnssec to return the correct information about the DNSSEC
information, enclosed in the reply by either:
- the AD bit
- anal
On 20/12/2019 15:23, S.B. wrote:
>
> Hi
>
> I did a few tests with the --proxy-dnssec option and according to my
> tests it seems as if this feature is not working as documented.
>
> If I query a dnssec signed domain I get an ad flag from my unbound which
> is my upstream server, but on every
Hi
I did a few tests with the --proxy-dnssec option and according to my tests it seems as if this feature is not working as documented.
If I query a dnssec signed domain I get an ad flag from my unbound which is my upstream server, but on every subsequent query that is answerd by dnsmasq from
15 matches
Mail list logo