Am 05.02.2014 09:46, schrieb Simon Kelley: > The second answer comes from the cache, and the D0 bit is not set in the > query, so the answer doesn't have the AD flag or RRSIG, if you add > "+dnssec" to the dig command you should see both in replies from the cache,
Thank you. You are right, that part of it works. In fact, dnsmasq forwards queries to FreeBSD's local BIND 9.8.4-P2 that I configured to also use DNSSEC - the question is if dnscache should only ever return back what it would also store into the cache. Regarding query logging, I noticed a difference between BOGUS (known bad signature) and INSECURE (no signature). I am not sure if these are official terms from the RFCs, but even if the INSECURE is ambiguous - and I would like to propose: 1. that the .example configuration file be enhanced with the dnssec snippet you use in CHANGELOG - feel free to grab the port's patch from <http://svnweb.freebsd.org/ports/head/dns/dnsmasq-devel/files/patch-dnsmasq.conf.example?revision=342621&view=markup&sortby=date> 2. that the relevant query logging diagnostics and possible results for DNSSEC be documented in the manpage, else this part of the manpage remains unclear to a user in these respects: - what is a reply, what is a response (in technical documentation, please always use the same word for the same subject) - BOGUS and SERVFAIL appear from nowhere without explanation elsewhere in the manual. > --dnssec-debug > Set debugging mode for the DNSSEC validation, set the Checking > Disabled bit on upstream queries, and don't convert BOGUS > replies to SERVFAIL responses. _______________________________________________ Dnsmasq-discuss mailing list Dnsmasq-discuss@lists.thekelleys.org.uk http://lists.thekelleys.org.uk/mailman/listinfo/dnsmasq-discuss