Opened 7 years ago

Closed 3 years ago

#9790 closed defect (fixed)

Add proxy_dnssec option for dnsmasq

Reported by: Olipro <olipro@…> Owned by: developers
Priority: normal Milestone: Barrier Breaker 14.07
Component: packages Version: Trunk
Keywords: Cc:


Pretty simple job, just add something like:

append_bool "$cfg" proxy_dnssec "--proxy-dnssec"

to the dnsmasq rc.d file.

Attachments (0)

Change History (5)

comment:1 Changed 5 years ago by KillaB

Just tested this with el Googs public servers. Works like a charm.
Thanks Olipro!

comment:2 Changed 5 years ago by jow

Do you see any downside to making it default enable as well?

comment:3 Changed 5 years ago by KillaB

Based on the wording from the manpage, I'd say it's probably best to let the user decide.
Perhaps a commented default enable line similar to nonwildcard is the best option.

#option proxy_dnssec	1

A resolver on a client machine can do DNSSEC validation in two ways: it can perform the cryptograhic operations on the reply it receives, or it can rely on the upstream recursive nameserver to do the validation and set a bit in the reply if it succeeds. Dnsmasq is not a DNSSEC validator, so it cannot perform the validation role of the recursive nameserver, but it can pass through the validation results from its own upstream nameservers. This option enables this behaviour. You should only do this if you trust all the configured upstream nameservers and the network between you and them. If you use the first DNSSEC mode, validating resolvers in clients, this option is not required. Dnsmasq always returns all the data needed for a client to do validation itself."

comment:4 Changed 4 years ago by jow

  • Milestone changed from Attitude Adjustment 12.09 to Barrier Breaker 14.07

Milestone Attitude Adjustment 12.09 deleted

comment:5 Changed 3 years ago by jogo

  • Resolution set to fixed
  • Status changed from new to closed

Proxy-dnssec support has been added in r36570.

Add Comment

Modify Ticket

as closed .
The resolution will be deleted. Next status will be 'reopened'.

E-mail address and user name can be saved in the Preferences.

Note: See TracTickets for help on using tickets.