Re: [Cerowrt-devel] Fwd: [Dnsmasq-discuss] Testers wanted: DNSSEC.

["Toke Høiland-Jørgensen" <toke@toke.dk>]

[-- Attachment #1: Type: text/plain, Size: 1216 bytes --]

Simon Kelley <simon@thekelleys.org.uk> writes:

> If you send the dnsmasq process SIGUSR1, it will dump to the log a few
> statistics (and a dump of the contents of the cache of you have
> --log-queries set)

Right; well after running for 16h, mostly idle: 

dnsmasq[9057]: time 1391689421
dnsmasq[9057]: cache size 150, 3/876 cache insertions re-used unexpired cache entries.
dnsmasq[9057]: queries forwarded 455, queries answered locally 121527
dnsmasq[9057]: queries for authoritative zones 0
dnsmasq[9057]: DNSSEC memory in use 8016, max 20304, allocated 22176
dnsmasq[9057]: server 127.0.0.1#5333: queries sent 491, retried or failed 0

> The stats includes memory use by DNSSEC, so keeping an eye on that would be
> good, I'm twitchy about it, having spent 4 days finding a memory leak just
> before this release.

Will keep an eye on it :)

So, just to make sure I understand things: What kind of guarantees does
the DNSSEC support give? If an upstream server is injecting things into
DNS (for a signed zone of course), is dnsmasq guaranteed to discard the
reply? And can a malicious upstream server strip out DNSSEC results to
fool dnsmasq into accepting a bogus response?

-Toke

[-- Attachment #2: signature.asc --]
[-- Type: application/pgp-signature, Size: 489 bytes --]