[Cerowrt-devel] Fwd: [Dnsmasq-discuss] Testers wanted: DNSSEC.
toke at toke.dk
Thu Feb 6 07:35:43 EST 2014
Simon Kelley <simon at thekelleys.org.uk> writes:
> If you send the dnsmasq process SIGUSR1, it will dump to the log a few
> statistics (and a dump of the contents of the cache of you have
> --log-queries set)
Right; well after running for 16h, mostly idle:
dnsmasq: time 1391689421
dnsmasq: cache size 150, 3/876 cache insertions re-used unexpired cache entries.
dnsmasq: queries forwarded 455, queries answered locally 121527
dnsmasq: queries for authoritative zones 0
dnsmasq: DNSSEC memory in use 8016, max 20304, allocated 22176
dnsmasq: server 127.0.0.1#5333: queries sent 491, retried or failed 0
> The stats includes memory use by DNSSEC, so keeping an eye on that would be
> good, I'm twitchy about it, having spent 4 days finding a memory leak just
> before this release.
Will keep an eye on it :)
So, just to make sure I understand things: What kind of guarantees does
the DNSSEC support give? If an upstream server is injecting things into
DNS (for a signed zone of course), is dnsmasq guaranteed to discard the
reply? And can a malicious upstream server strip out DNSSEC results to
fool dnsmasq into accepting a bogus response?
-------------- next part --------------
A non-text attachment was scrubbed...
Size: 489 bytes
Desc: not available
More information about the Cerowrt-devel