From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: from mail2.tohojo.dk (mail2.tohojo.dk [IPv6:2a01:4f8:200:3141::101]) (using TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits)) (Client did not present a certificate) by huchra.bufferbloat.net (Postfix) with ESMTPS id D045D21F14E for ; Thu, 6 Feb 2014 04:35:55 -0800 (PST) X-Virus-Scanned: amavisd-new at example.com Received: by alrua-kau.localdomain (Postfix, from userid 1000) id CDC4747FB6; Thu, 6 Feb 2014 13:35:46 +0100 (CET) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=toke.dk; s=201310; t=1391690147; bh=hO6j5PXIDZcunH11Q05b0gpWuG8eyMJUphtqKZlxFgk=; h=From:To:Cc:Subject:References:Date:In-Reply-To; b=NabgLj93+WpwGzgtSvpERDhLaYKmkjr8E+xRifl4//TZYXQspJQUONXszXHG1iKnR RGZFtFIUtw3AJhKeJCyfKusfA3L4vCujF3dvCbkgZorDJe0NlIIAJaVpX1eJ3ULQyk tPUyQ0RJUIhXht2nHuKZMp7tcn7t01JGFANjHHMA= From: =?utf-8?Q?Toke_H=C3=B8iland-J=C3=B8rgensen?= To: Simon Kelley References: <87a9e6xcae.fsf@alrua-x1.kau.toke.dk> <87ob2lmqny.fsf@toke.dk> <52F29645.6010001@thekelleys.org.uk> <874n4dwcdb.fsf@alrua-x1.kau.toke.dk> <52F2BA80.9010202@thekelleys.org.uk> <87iossvgw4.fsf@alrua-x1.kau.toke.dk> <52F369AA.5060809@thekelleys.org.uk> <8761osv78r.fsf@alrua-x1.kau.toke.dk> <52F371B3.5030406@thekelleys.org.uk> Date: Thu, 06 Feb 2014 13:35:43 +0100 In-Reply-To: <52F371B3.5030406@thekelleys.org.uk> (Simon Kelley's message of "Thu, 06 Feb 2014 11:27:47 +0000") Message-ID: <87k3d8mna8.fsf@toke.dk> Content-Type: multipart/signed; boundary="=-=-="; micalg=pgp-sha256; protocol="application/pgp-signature" Cc: cerowrt-devel@lists.bufferbloat.net Subject: Re: [Cerowrt-devel] Fwd: [Dnsmasq-discuss] Testers wanted: DNSSEC. X-BeenThere: cerowrt-devel@lists.bufferbloat.net X-Mailman-Version: 2.1.13 Precedence: list List-Id: Development issues regarding the cerowrt test router project List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 06 Feb 2014 12:35:56 -0000 --=-=-= Content-Type: text/plain Content-Transfer-Encoding: quoted-printable Simon Kelley writes: > If you send the dnsmasq process SIGUSR1, it will dump to the log a few > statistics (and a dump of the contents of the cache of you have > --log-queries set) Right; well after running for 16h, mostly idle:=20 dnsmasq[9057]: time 1391689421 dnsmasq[9057]: cache size 150, 3/876 cache insertions re-used unexpired cac= he entries. dnsmasq[9057]: queries forwarded 455, queries answered locally 121527 dnsmasq[9057]: queries for authoritative zones 0 dnsmasq[9057]: DNSSEC memory in use 8016, max 20304, allocated 22176 dnsmasq[9057]: server 127.0.0.1#5333: queries sent 491, retried or failed 0 > The stats includes memory use by DNSSEC, so keeping an eye on that would = be > good, I'm twitchy about it, having spent 4 days finding a memory leak just > before this release. Will keep an eye on it :) So, just to make sure I understand things: What kind of guarantees does the DNSSEC support give? If an upstream server is injecting things into DNS (for a signed zone of course), is dnsmasq guaranteed to discard the reply? And can a malicious upstream server strip out DNSSEC results to fool dnsmasq into accepting a bogus response? =2DToke --=-=-= Content-Type: application/pgp-signature; name="signature.asc" -----BEGIN PGP SIGNATURE----- Version: GnuPG v2.0.22 (GNU/Linux) iQEcBAEBCAAGBQJS84GfAAoJEENeEGz1+utPROoIAKdm19Ou3CF9GfFvhmQTvEi5 ru2w9Mz9DZfxqvkrDzMWHpflb9QtEJQ4VEKB5zgrRPI9ENCSkddFdtUps80Wv2Vt oKxkijsrclxv+8uDheP6Lu2aD03jQHSNF4CAOiahM+v51E0jA+eloXhDc5LZU4c1 aJU6mBT20R2Ld5zgB+HaOMHHy7nUM+otFRMDkujhRhLYJj0GmrLS17dmWV6vDtqP /Q581itAAMH/GNuqs0QZBk/pJQXYA21hK5FWHA0Z5YKQR9E9+PNiOPjtgpxPO3U2 BQzXuBpaJwfdQqHTBQcOSXPC9cud9rI/eVbDZiDAlSOPmkN0yUjr7u1eAHBT1lo= =07SO -----END PGP SIGNATURE----- --=-=-=--