[Cerowrt-devel] Fwd: [Dnsmasq-discuss] Testers wanted: DNSSEC.

Toke Høiland-Jørgensen toke at toke.dk
Wed Feb 5 15:09:04 EST 2014

Simon Kelley <simon at thekelleys.org.uk> writes:

> Same CPU architecture as the working systems, or different?

Sorry, I meant that the package signatures for the OBS Arch packages are
failing, not the DNSSEC signatures...

> That's expected for 1) queries answered from local configuration
> (/etc/hosts etc) 2) queries answered with data from DHCP (this is
> probably not relevant) 3) queries answered from the cache. The
> verification result is stored in the cache and not repeated.
> The log gives the source of the data, so these should be identifiable.

Well turning log-queries back on, this is the first one (seems to be the
second query performed):

dnsmasq[8595]: query[PTR] from
dnsmasq[8595]: forwarded to
dnsmasq[8595]: validation result is INSECURE
dnsmasq[8595]: reply is static-213-115-75-62.sme.bredbandsbolaget.se

Don't see anything preceded by dnssec-query for any in-addr.arpa queries
before that (assuming the cache is not stored between restarts?).

> It does two things, the results of which are not externally obvious.
> 1) It sets the cd (checking disabled) bit in upstream queries, so that
> it's possible to check that invalid data is identified, rather than
> just getting a SERVFAIL from the upstream server.
> 2) It suppresses SERVFAIL as the reply to queries whose answer doesn't
> verify, for similar reasons.

Right; I was assuming it would increase the log output, similar to dig
+trace or something...

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 489 bytes
Desc: not available
URL: <https://lists.bufferbloat.net/pipermail/cerowrt-devel/attachments/20140205/4df85f8f/attachment.sig>

More information about the Cerowrt-devel mailing list