Hi Michael, Thanks for your comments and your point abount inconsistency in the MIR decription. It seems to me that you read between the lines and got me correctly. But to avoid any other confusion I want to tell the whole story about config options.
(1) by default dnssec is disabled and no anchors are needed at all (2) to enable dnssec capability in dnsmasq you need to put 'dnssec' option into /etc/dnsmasq.conf If you have dnssec enabled you have two options: (1) if dns-root-data package is installed -- dnsmasq uses its anchors automatically: /etc/init.d/dnsmasq: <...> # If the dns-root-data package is installed, then the trust anchors will be # available in $ROOT_DS, in BIND zone-file format. Reformat as dnsmasq # --trust-anchor options. ROOT_DS="/usr/share/dns/root.ds" if [ -f $ROOT_DS ]; then DNSMASQ_OPTS="$DNSMASQ_OPTS `sed -e s/". IN DS "/--trust-anchor=.,/ -e s/" "/,/g $ROOT_DS | tr '\n' ' '`" fi <...> (2) if dns-root-data package is not installed but 'dnssec' option is enabled -- you'll get an error: dnsmasq[2623]: No trust anchors provided for DNSSEC To deal with this error you need to put the following line into /etc/dnsmasq.conf as well: conf-file=/usr/share/dnsmasq-base/trust-anchors.conf By putting this line into config we force dnsmasq to use its own anchors which are installed by dnsmasq-base package. You may put a path to your own anchors as well. Bottom line: We can live without dns-root-data installed. It's just a good way to centralize important security data in one place which might be useful. -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1426460 Title: [MIR] dns-root-data To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/dns-root-data/+bug/1426460/+subscriptions -- ubuntu-bugs mailing list [email protected] https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
