Toke Høiland-Jørgensen writes: > Can add it to my bufferbloat OBS :) Right, so packages available for Arch, Debian 7 and Ubuntu 12.04, 12.10 and 13.10 are available from here: https://build.opensuse.org/project/repositories/home:tohojo:dnsmasq For some reason, signature verification is failing for me on the Arch repo. Also, installed it on my workstation, and it seems to do *something* at least. Running with --log-queries I get output like this: dnsmasq[19525]: dnssec-query[DNSKEY] tohojo.dk to 127.0.0.1 dnsmasq[19525]: dnssec-query[DNSKEY] tohojo.dk to 127.0.0.1 dnsmasq[19525]: dnssec-query[DS] tohojo.dk to 127.0.0.1 dnsmasq[19525]: dnssec-query[DS] tohojo.dk to 127.0.0.1 dnsmasq[19525]: reply tohojo.dk is DS keytag 49471 dnsmasq[19525]: reply tohojo.dk is DNSKEY keytag 30141 dnsmasq[19525]: reply tohojo.dk is DNSKEY keytag 49471 dnsmasq[19525]: validation result is SECURE (I'm still running BIND on localhost on a different port which is why it's forwarded to there...) And sometimes there's also lines saying dnsmasq[19525]: validation result is INSECURE but mostly from in-addr.arpa and other places that I wouldn't expect to be verified. Finally there's a bunch of queries that don't say anything about dnssec anywhere. Oh, and --dnssec-debug doesn't seem to do anything. -Toke