On Wily, I edited /etc/dnsmasq.d/network-manager and added the following
lines:
# DNSSEC setup
dnssec
trust-anchor=.,19036,8,2,49AAC11D7B6F6446702E54A1607371607A1A41855200FD2CE1CDDE32F24E8FB5
dnssec-check-unsigned
I then restarted network-manager and tried to connect to
For some reason, subsequent DNS queries do not always bring the same
result here with the above configuration:
First queries after a reboot return what's expected:
nicolas@nicolas-desktop:~ 0 $ dig www.dnssec-failed.org
; <<>> DiG 9.9.5-11ubuntu1.1-Ubuntu <<>> www.dnssec-failed.org
;; global
Does anyone have instructions for how to configure this by hand on a
desktop Ubuntu vivid or wily installation?
--
You received this bug notification because you are a member of Ubuntu
Server Team, which is subscribed to dnsmasq in Ubuntu.
https://bugs.launchpad.net/bugs/995332
Title:
Please
Do NOT use DNSSEC-proxy function of Dnsmasq. The validation is done on a
resolver in the internet. Any attacker can use a Man-In-The-Middle
attack between the DNSSEC-resolver in the internet and Dnsmasq to
manipulate the DNSSEC data. Proxying the DO-/AD-bit lulls the user into
a FALSE sense of
Dnsmasq supports validating DNSSEC since version 2.69, Bugs have been
fixed since version 2.71.
Please update Ubuntu packages to 2.71 and compile with DNSSEC support
(see http://www.thekelleys.org.uk/dnsmasq/CHANGELOG)!
--
You received this bug notification because you are a member of Ubuntu