[Cerowrt-devel] Fwd: [Dnsmasq-discuss] Testers wanted: DNSSEC.

Dave Taht dave.taht at gmail.com
Tue Feb 4 11:20:45 EST 2014

One of the last big-ticket items that was on cerowrt's original
roadmap has been dnssec support.

An alpha of support for it just landed upstream and is available in dnsmasq's
testing directory...


I'm REALLY reluctant to just add it to the cerowrt build, but am
ceriously tempted to slide it in before cerowrt hits a stable release.

As dnsmasq is used heavily in ubuntu at least, it would make more
sense for those that
run that os to be trying this before committing it to cerowrt. I don't
know to what extent other OSes run dnsmasq.

is anyone up to producing a ppa or working with this on their
os-of-choice systems?

There are two new library requirements in dnsmasq that bloat it up
considerably, libnettle
and libgmp. Still, it's under a megabyte.

---------- Forwarded message ----------
From: Simon Kelley <simon at thekelleys.org.uk>
Date: Tue, Feb 4, 2014 at 10:29 AM
Subject: [Dnsmasq-discuss] Testers wanted: DNSSEC.
To: Dnsmasq-discuss at lists.thekelleys.org.uk

DNSSEC in dnsmasq is a long story. There have been requests for the
feature for at least five years, and work was started in earnest two
years ago, when Giovanni Bajo got much of the way on validation, and I
made the necessary changes to the cache code. That effort stalled
until this winter, when  grant from Comcast
allowed me to work full-time to get things moving again.

The result is dnsmasq-2.69test5, in git and the website now, which is
ready for testers, the more the better. From the release notes:

            DNSSEC validation and caching. Dnsmasq needs to be
            compiled with this enabled, with

            make dnsmasq COPTS=-DHAVE_DNSSEC

            this add dependencies on the nettle crypto library and the
            gmp maths library. It's possible to have these linked
            statically with

            make dnsmasq COPTS='-DHAVE_DNSSEC -DHAVE_DNSSEC_STATIC'

            which bloats the dnsmasq binary to over a megabyte, but
            saves the size of the shared libraries which are five
            times that size.
            To enable, DNSSEC, you will need a set of
            trust-anchors. Now that the TLDs are signed, this can be
            the keys for the root zone, and for convenience they are
            included in trust-anchors.conf in the dnsmasq
            distribution. You should of course check that these are
            legitimate and up-to-date. So, adding


            to your config is all thats needed to get things
            working. The upstream nameservers have to be DNSSEC-capable
            too, of course. Many ISP nameservers aren't, but the
            Google public nameservers ( and are.
            When DNSSEC is configured, dnsmasq validates any queries
            for domains which are signed. Query results which are
            bogus are replaced with SERVFAIL replies, and results
            which are correctly signed have the AD bit set. In
            addition, and just as importantly, dnsmasq supplies
            correct DNSSEC information to clients which are doing
            their own validation, and caches DNSKEY, DS and RRSIG
            records, which significantly improve the performance of
            downstream validators. Setting --log-queries will shoow
            DNSSEC in action.

I've been using this code in production here for 24 hours without
problems, so it's probably fine, but certainly alpha, and you're
advised to have a fallback path, just in case. It's pretty much
complete, except for NSEC3 validation. NXDOMAIN/NODATA replies for
zones which use this will be wrongly classed as INSECURE at the

So, please go for it, and report results here.



Dnsmasq-discuss mailing list
Dnsmasq-discuss at lists.thekelleys.org.uk

Dave Täht

Fixing bufferbloat with cerowrt: http://www.teklibre.com/cerowrt/subscribe.html

More information about the Cerowrt-devel mailing list