[Cerowrt-devel] Fwd: [Dnsmasq-discuss] Testers wanted: DNSSEC.
dave.taht at gmail.com
Tue Feb 4 11:20:45 EST 2014
One of the last big-ticket items that was on cerowrt's original
roadmap has been dnssec support.
An alpha of support for it just landed upstream and is available in dnsmasq's
I'm REALLY reluctant to just add it to the cerowrt build, but am
ceriously tempted to slide it in before cerowrt hits a stable release.
As dnsmasq is used heavily in ubuntu at least, it would make more
sense for those that
run that os to be trying this before committing it to cerowrt. I don't
know to what extent other OSes run dnsmasq.
is anyone up to producing a ppa or working with this on their
There are two new library requirements in dnsmasq that bloat it up
and libgmp. Still, it's under a megabyte.
---------- Forwarded message ----------
From: Simon Kelley <simon at thekelleys.org.uk>
Date: Tue, Feb 4, 2014 at 10:29 AM
Subject: [Dnsmasq-discuss] Testers wanted: DNSSEC.
To: Dnsmasq-discuss at lists.thekelleys.org.uk
DNSSEC in dnsmasq is a long story. There have been requests for the
feature for at least five years, and work was started in earnest two
years ago, when Giovanni Bajo got much of the way on validation, and I
made the necessary changes to the cache code. That effort stalled
until this winter, when grant from Comcast
allowed me to work full-time to get things moving again.
The result is dnsmasq-2.69test5, in git and the website now, which is
ready for testers, the more the better. From the release notes:
DNSSEC validation and caching. Dnsmasq needs to be
compiled with this enabled, with
make dnsmasq COPTS=-DHAVE_DNSSEC
this add dependencies on the nettle crypto library and the
gmp maths library. It's possible to have these linked
make dnsmasq COPTS='-DHAVE_DNSSEC -DHAVE_DNSSEC_STATIC'
which bloats the dnsmasq binary to over a megabyte, but
saves the size of the shared libraries which are five
times that size.
To enable, DNSSEC, you will need a set of
trust-anchors. Now that the TLDs are signed, this can be
the keys for the root zone, and for convenience they are
included in trust-anchors.conf in the dnsmasq
distribution. You should of course check that these are
legitimate and up-to-date. So, adding
to your config is all thats needed to get things
working. The upstream nameservers have to be DNSSEC-capable
too, of course. Many ISP nameservers aren't, but the
Google public nameservers (184.108.40.206 and 220.127.116.11) are.
When DNSSEC is configured, dnsmasq validates any queries
for domains which are signed. Query results which are
bogus are replaced with SERVFAIL replies, and results
which are correctly signed have the AD bit set. In
addition, and just as importantly, dnsmasq supplies
correct DNSSEC information to clients which are doing
their own validation, and caches DNSKEY, DS and RRSIG
records, which significantly improve the performance of
downstream validators. Setting --log-queries will shoow
DNSSEC in action.
I've been using this code in production here for 24 hours without
problems, so it's probably fine, but certainly alpha, and you're
advised to have a fallback path, just in case. It's pretty much
complete, except for NSEC3 validation. NXDOMAIN/NODATA replies for
zones which use this will be wrongly classed as INSECURE at the
So, please go for it, and report results here.
Dnsmasq-discuss mailing list
Dnsmasq-discuss at lists.thekelleys.org.uk
Fixing bufferbloat with cerowrt: http://www.teklibre.com/cerowrt/subscribe.html
More information about the Cerowrt-devel