From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: from mail-qa0-x234.google.com (mail-qa0-x234.google.com [IPv6:2607:f8b0:400d:c00::234]) (using TLSv1 with cipher RC4-SHA (128/128 bits)) (Client CN "smtp.gmail.com", Issuer "Google Internet Authority G2" (verified OK)) by huchra.bufferbloat.net (Postfix) with ESMTPS id 94A7021F182 for ; Tue, 4 Feb 2014 08:20:46 -0800 (PST) Received: by mail-qa0-f52.google.com with SMTP id j15so12438087qaq.39 for ; Tue, 04 Feb 2014 08:20:45 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=mime-version:date:message-id:subject:from:to:content-type :content-transfer-encoding; bh=exRnZOb//m6+IU9BiaD0WuILzaODgv9AZe0Og+Ow4lY=; b=s74R3vsFLX3zzaWI2SDCyDPt9opIn1dFejH5wJoYZYYzR0DuLQHS8z/1z2XQOqhDCX N4d3t0zSUGSDx8M/tC1uhCncRdhR1otDYPVkXDd9LFqnUpzV57IrmYRMDWb0Ye6Up77U 8zddqgzBxvtwHSW8anX5yQjuMB359i5i4k/ije2ELeDiZWavimRowxF25x23q3+5oqG5 3NqmOIVjrdN2woFk3MhkLdNmqiA6+kwWZxIzRJtaPPGRawueJ/9EjdcNrphnJTdVWBvV H7O1Qeu/FMr+5p3lGIS/kwI7jndOA6YGsNbVrsZ5t3lk3C3YZjlXc0eIY/icVXsysubk 3hTA== MIME-Version: 1.0 X-Received: by 10.140.81.240 with SMTP id f103mr64374772qgd.104.1391530845277; Tue, 04 Feb 2014 08:20:45 -0800 (PST) Received: by 10.224.27.133 with HTTP; Tue, 4 Feb 2014 08:20:45 -0800 (PST) Date: Tue, 4 Feb 2014 11:20:45 -0500 Message-ID: From: Dave Taht To: "cerowrt-devel@lists.bufferbloat.net" Content-Type: text/plain; charset=ISO-8859-1 Content-Transfer-Encoding: quoted-printable Subject: [Cerowrt-devel] Fwd: [Dnsmasq-discuss] Testers wanted: DNSSEC. X-BeenThere: cerowrt-devel@lists.bufferbloat.net X-Mailman-Version: 2.1.13 Precedence: list List-Id: Development issues regarding the cerowrt test router project List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 04 Feb 2014 16:20:46 -0000 One of the last big-ticket items that was on cerowrt's original roadmap has been dnssec support. An alpha of support for it just landed upstream and is available in dnsmasq= 's testing directory... http://www.thekelleys.org.uk/dnsmasq/test-releases/ I'm REALLY reluctant to just add it to the cerowrt build, but am ceriously tempted to slide it in before cerowrt hits a stable release. As dnsmasq is used heavily in ubuntu at least, it would make more sense for those that run that os to be trying this before committing it to cerowrt. I don't know to what extent other OSes run dnsmasq. is anyone up to producing a ppa or working with this on their os-of-choice systems? There are two new library requirements in dnsmasq that bloat it up considerably, libnettle and libgmp. Still, it's under a megabyte. ---------- Forwarded message ---------- From: Simon Kelley Date: Tue, Feb 4, 2014 at 10:29 AM Subject: [Dnsmasq-discuss] Testers wanted: DNSSEC. To: Dnsmasq-discuss@lists.thekelleys.org.uk DNSSEC in dnsmasq is a long story. There have been requests for the feature for at least five years, and work was started in earnest two years ago, when Giovanni Bajo got much of the way on validation, and I made the necessary changes to the cache code. That effort stalled until this winter, when grant from Comcast (http://techfund.comcast.com/index.php/home/root/comcast-news/summer-2013-p= roject-support-update) allowed me to work full-time to get things moving again. The result is dnsmasq-2.69test5, in git and the website now, which is ready for testers, the more the better. From the release notes: DNSSEC validation and caching. Dnsmasq needs to be compiled with this enabled, with make dnsmasq COPTS=3D-DHAVE_DNSSEC this add dependencies on the nettle crypto library and the gmp maths library. It's possible to have these linked statically with make dnsmasq COPTS=3D'-DHAVE_DNSSEC -DHAVE_DNSSEC_STATIC' which bloats the dnsmasq binary to over a megabyte, but saves the size of the shared libraries which are five times that size. To enable, DNSSEC, you will need a set of trust-anchors. Now that the TLDs are signed, this can be the keys for the root zone, and for convenience they are included in trust-anchors.conf in the dnsmasq distribution. You should of course check that these are legitimate and up-to-date. So, adding conf-file=3D/path/to/trust-anchors.conf dnssec to your config is all thats needed to get things working. The upstream nameservers have to be DNSSEC-capable too, of course. Many ISP nameservers aren't, but the Google public nameservers (8.8.8.8 and 8.8.4.4) are. When DNSSEC is configured, dnsmasq validates any queries for domains which are signed. Query results which are bogus are replaced with SERVFAIL replies, and results which are correctly signed have the AD bit set. In addition, and just as importantly, dnsmasq supplies correct DNSSEC information to clients which are doing their own validation, and caches DNSKEY, DS and RRSIG records, which significantly improve the performance of downstream validators. Setting --log-queries will shoow DNSSEC in action. I've been using this code in production here for 24 hours without problems, so it's probably fine, but certainly alpha, and you're advised to have a fallback path, just in case. It's pretty much complete, except for NSEC3 validation. NXDOMAIN/NODATA replies for zones which use this will be wrongly classed as INSECURE at the moment. So, please go for it, and report results here. Cheers, Simon. _______________________________________________ Dnsmasq-discuss mailing list Dnsmasq-discuss@lists.thekelleys.org.uk http://lists.thekelleys.org.uk/mailman/listinfo/dnsmasq-discuss --=20 Dave T=E4ht Fixing bufferbloat with cerowrt: http://www.teklibre.com/cerowrt/subscribe.= html