Public bug reported:
I just noticed that Network Manager isn't using --proxy-dnssec for the local
resolver.
Using this option is important for environments where the client (firefox or
similar) is actively checking for the DNSSEC flags.
>From dnsmasq's man page:
--proxy-dnssec
A resolver on a client machine can do DNSSEC validation in two
ways: it
can perform the cryptograhic operations on the reply it receives,
or it
can rely on the upstream recursive nameserver to do the
validation and
set a bit in the reply if it succeeds. Dnsmasq is not a DNSSEC
valida‐
tor, so it cannot perform the validation role of the recursive
name‐
server, but it can pass through the validation results from
its own
upstream nameservers. This option enables this behaviour. You
should
only do this if you trust all the configured upstream
nameservers and
the network between you and them. If you use the first DNSSEC
mode,
validating resolvers in clients, this option is not required.
Dnsmasq
always returns all the data needed for a client to do
validation
itself.
As our dnsmasq should be as transparent as possible to the user, I believe
doing dnssec passthrough is the right thing and will be important for some of
our users.
** Affects: network-manager (Ubuntu)
Importance: Undecided
Status: New
--
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/946093
Title:
DNSSEC passthrough support in dnsmasq
To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/network-manager/+bug/946093/+subscriptions
--
ubuntu-bugs mailing list
[email protected]
https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
