Simon Kelley writes: > If you send the dnsmasq process SIGUSR1, it will dump to the log a few > statistics (and a dump of the contents of the cache of you have > --log-queries set) Right; well after running for 16h, mostly idle: dnsmasq[9057]: time 1391689421 dnsmasq[9057]: cache size 150, 3/876 cache insertions re-used unexpired cache entries. dnsmasq[9057]: queries forwarded 455, queries answered locally 121527 dnsmasq[9057]: queries for authoritative zones 0 dnsmasq[9057]: DNSSEC memory in use 8016, max 20304, allocated 22176 dnsmasq[9057]: server 127.0.0.1#5333: queries sent 491, retried or failed 0 > The stats includes memory use by DNSSEC, so keeping an eye on that would be > good, I'm twitchy about it, having spent 4 days finding a memory leak just > before this release. Will keep an eye on it :) So, just to make sure I understand things: What kind of guarantees does the DNSSEC support give? If an upstream server is injecting things into DNS (for a signed zone of course), is dnsmasq guaranteed to discard the reply? And can a malicious upstream server strip out DNSSEC results to fool dnsmasq into accepting a bogus response? -Toke