[Cerowrt-devel] Fwd: [Dnsmasq-discuss] Testers wanted: DNSSEC.

Toke Høiland-Jørgensen toke at toke.dk
Thu Feb 6 07:35:43 EST 2014


Simon Kelley <simon at thekelleys.org.uk> writes:

> If you send the dnsmasq process SIGUSR1, it will dump to the log a few
> statistics (and a dump of the contents of the cache of you have
> --log-queries set)

Right; well after running for 16h, mostly idle: 

dnsmasq[9057]: time 1391689421
dnsmasq[9057]: cache size 150, 3/876 cache insertions re-used unexpired cache entries.
dnsmasq[9057]: queries forwarded 455, queries answered locally 121527
dnsmasq[9057]: queries for authoritative zones 0
dnsmasq[9057]: DNSSEC memory in use 8016, max 20304, allocated 22176
dnsmasq[9057]: server 127.0.0.1#5333: queries sent 491, retried or failed 0

> The stats includes memory use by DNSSEC, so keeping an eye on that would be
> good, I'm twitchy about it, having spent 4 days finding a memory leak just
> before this release.

Will keep an eye on it :)

So, just to make sure I understand things: What kind of guarantees does
the DNSSEC support give? If an upstream server is injecting things into
DNS (for a signed zone of course), is dnsmasq guaranteed to discard the
reply? And can a malicious upstream server strip out DNSSEC results to
fool dnsmasq into accepting a bogus response?

-Toke
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 489 bytes
Desc: not available
URL: <https://lists.bufferbloat.net/pipermail/cerowrt-devel/attachments/20140206/c9a3a410/attachment.sig>


More information about the Cerowrt-devel mailing list