Re: [Dnsmasq-discuss] DNSSEC: Answer for local hosts with AD flag set?
On 05.10.2015 12:31, Ernst Ahlers wrote: >> You can have a local zone with local data also in Unbound. > > Sure, but also signed with DNSSEC? No, it can not. Unbound can not sign the records. It may be possible to serve serve already signed zone, but I never experimented with this. I agree with the later response that if you want signing, it may be better to use BIND. It can do the signing for you automatically on-the-fly and also do the management of keys (rollover) based on validity of the keys. Making such setup with BIND is super easy. Regards, -- Tomas Hozza Software Engineer - EMEA ENG Developer Experience PGP: 1D9F3C2D UTC+2 (CEST) Red Hat Inc. http://cz.redhat.com ___ Dnsmasq-discuss mailing list Dnsmasq-discuss@lists.thekelleys.org.uk http://lists.thekelleys.org.uk/mailman/listinfo/dnsmasq-discuss
Re: [Dnsmasq-discuss] DNSSEC: Answer for local hosts with AD flag set?
On 03.10.2015 07:53, Stéphane Guedon wrote: > Le vendredi 2 octobre 2015, 19:34:30 Ernst Ahlers a écrit : >> Thanks for chiming in Stephane, >> >>> Allowing dnsmasq to sign (or give a proof of authenticity) would solve >>> this >>> problem, yet I am sure it is not easy. >> >> AFAIK there's no provision yet in dnsmasq for keeping signed domains. >> After all it was never intended to be a fully fledged DNS server. >> >> So the only viable option I see now would be switching to Unbound -- >> which AVM is unlikely to do IMHO. >> >> Have a nice weekend all around! >> >> Ernst > > Unbound is only a resolver. > > To replace dhcp and dns on lan, you might need a dhcp+bind with split mode. > > Bind would then allow you also to resolve (as it's the all-in-one dns). You can have a local zone with local data also in Unbound. Check https://unbound.nlnetlabs.nl/documentation/unbound.conf.html and the options 'local-zone' and 'local-data' or 'stub-zone'. I would say Unbound is as much authoritative server as dnsmasq tries to be. Plus Unbound can be easily reconfigured during runtime. Regards, -- Tomas Hozza Software Engineer - EMEA ENG Developer Experience PGP: 1D9F3C2D UTC+2 (CEST) Red Hat Inc. http://cz.redhat.com ___ Dnsmasq-discuss mailing list Dnsmasq-discuss@lists.thekelleys.org.uk http://lists.thekelleys.org.uk/mailman/listinfo/dnsmasq-discuss
Re: [Dnsmasq-discuss] DNSSEC: Answer for local hosts with AD flag set?
> You can have a local zone with local data also in Unbound. Sure, but also signed with DNSSEC? CU ea -- Ernst Ahlers, Redakteur/Editor PGP-Key-ID: 0x265E 3662, plain text preferred c't - Magazin für Computertechnik www.ct.de Karl-Wiechert-Allee 10 D-30625 Hannover, Germany Phone +49 (0)511 5352 300 Fax +49 (0)511 5352 417 Heise Medien GmbH & Co. KG Registergericht: Amtsgericht Hannover HRA 26709 Persönlich haftende Gesellschafterin: Heise Medien Geschäftsführung GmbH Registergericht: Amtsgericht Hannover, HRB 60405 Geschäftsführer: Ansgar Heise, Dr. Alfons Schräder Katze 5e ___ Dnsmasq-discuss mailing list Dnsmasq-discuss@lists.thekelleys.org.uk http://lists.thekelleys.org.uk/mailman/listinfo/dnsmasq-discuss
Re: [Dnsmasq-discuss] DNSSEC: Answer for local hosts with AD flag set?
Le lundi 5 octobre 2015, 12:31:11 Ernst Ahlers a écrit : > > You can have a local zone with local data also in Unbound. > > Sure, but also signed with DNSSEC? > > CU > > ea That, I don't think so. If you want to make something sophisticated, why not looking to Bind ? It makes all possible things ever ! I precise that I do not use it. -- The file signature.asc is not attached to be read by you. It's a digital signature by GPG. If you want to know why I use it, and why you should as well, you can read my article there: http://www.22decembre.eu/2015/03/21/introduction-en/ signature.asc Description: This is a digitally signed message part. ___ Dnsmasq-discuss mailing list Dnsmasq-discuss@lists.thekelleys.org.uk http://lists.thekelleys.org.uk/mailman/listinfo/dnsmasq-discuss
Re: [Dnsmasq-discuss] DNSSEC: Answer for local hosts with AD flag set?
> Unbound is only a resolver. You're right. Since I have no hands-on experience with Unbound the name might have misled me into assuming it were usable as a full-blown DNS server. > To replace dhcp and dns on lan, you might need a dhcp+bind with split mode. It looks like that -- and even less of a chance for AVM making the move. Thanks! Ernst -- Ernst Ahlers, Redakteur/Editor PGP-Key-ID: 0x265E 3662, plain text preferred c't - Magazin für Computertechnik www.ct.de Karl-Wiechert-Allee 10 D-30625 Hannover, Germany Phone +49 (0)511 5352 300 Fax +49 (0)511 5352 417 Heise Medien GmbH & Co. KG Registergericht: Amtsgericht Hannover HRA 26709 Persönlich haftende Gesellschafterin: Heise Medien Geschäftsführung GmbH Registergericht: Amtsgericht Hannover, HRB 60405 Geschäftsführer: Ansgar Heise, Dr. Alfons Schräder Katze 5e signature.asc Description: OpenPGP digital signature ___ Dnsmasq-discuss mailing list Dnsmasq-discuss@lists.thekelleys.org.uk http://lists.thekelleys.org.uk/mailman/listinfo/dnsmasq-discuss
Re: [Dnsmasq-discuss] DNSSEC: Answer for local hosts with AD flag set?
Le vendredi 2 octobre 2015, 19:34:30 Ernst Ahlers a écrit : > Thanks for chiming in Stephane, > > > Allowing dnsmasq to sign (or give a proof of authenticity) would solve > > this > > problem, yet I am sure it is not easy. > > AFAIK there's no provision yet in dnsmasq for keeping signed domains. > After all it was never intended to be a fully fledged DNS server. > > So the only viable option I see now would be switching to Unbound -- > which AVM is unlikely to do IMHO. > > Have a nice weekend all around! > > Ernst Unbound is only a resolver. To replace dhcp and dns on lan, you might need a dhcp+bind with split mode. Bind would then allow you also to resolve (as it's the all-in-one dns). -- The file signature.asc is not attached to be read by you. It's a digital signature by GPG. If you want to know why I use it, and why you should as well, you can read my article there: http://www.22decembre.eu/2015/03/21/introduction-en/ signature.asc Description: This is a digitally signed message part. ___ Dnsmasq-discuss mailing list Dnsmasq-discuss@lists.thekelleys.org.uk http://lists.thekelleys.org.uk/mailman/listinfo/dnsmasq-discuss
Re: [Dnsmasq-discuss] DNSSEC: Answer for local hosts with AD flag set?
> Do you think there's any chance to solve this correctly without > switching from dnsmasq to Unbound or the like? I don't think this is going to be possible. BTW, AVM seem to have DNSSEC validation on (at least) their 7390 [1]. As somebody with a lot of clout, such as you have at c't :-), I would contact them and politely request they quickly start signing their myfritz platform. Chances are they might even do that. ;-) -JP [1] https://twitter.com/marcodavids/status/649861646232485888 ___ Dnsmasq-discuss mailing list Dnsmasq-discuss@lists.thekelleys.org.uk http://lists.thekelleys.org.uk/mailman/listinfo/dnsmasq-discuss
Re: [Dnsmasq-discuss] DNSSEC: Answer for local hosts with AD flag set?
> I don't think this is going to be possible. OK, so AVM would probably have to switch to Unbound. Or they'll just choose to ignore the IPv4 NAT penalty... > BTW, AVM seem to have DNSSEC validation on (at least) their 7390 [1]. Thanks for the hint! Funny, our 7390 with FritzOS-Beta 6.36 running on DT-VDSL shows no sign at all of DNSSEC, even if I set it to use validating servers. But then this option might be tied to the internet provider selection... Seems I'll have to bugger AVM again. :-D > I would contact them and politely request they quickly start > signing their myfritz platform. Chances are they might even do > that. ;-) Oh, since they spoke of probably activating DNSSEC validation I'm quite sure it's already on their timeline. :) Anyway, many thanks for taking a look at my query! Ernst -- Ernst Ahlers, Redakteur/Editor PGP-Key-ID: 0x265E 3662, plain text preferred c't - Magazin für Computertechnik www.ct.de Karl-Wiechert-Allee 10 D-30625 Hannover, Germany Phone +49 (0)511 5352 300 Fax +49 (0)511 5352 417 Heise Medien GmbH & Co. KG Registergericht: Amtsgericht Hannover HRA 26709 Persönlich haftende Gesellschafterin: Heise Medien Geschäftsführung GmbH Registergericht: Amtsgericht Hannover, HRB 60405 Geschäftsführer: Ansgar Heise, Dr. Alfons Schräder Katze 5e ___ Dnsmasq-discuss mailing list Dnsmasq-discuss@lists.thekelleys.org.uk http://lists.thekelleys.org.uk/mailman/listinfo/dnsmasq-discuss
Re: [Dnsmasq-discuss] DNSSEC: Answer for local hosts with AD flag set?
> BTW, AVM seem to have DNSSEC validation on (at least) their 7390 [1]. > [1] https://twitter.com/marcodavids/status/649861646232485888 FYI: The originator of this tweet just fessed up to me that it was a fake. CU Ernst -- Ernst Ahlers, Redakteur/Editor PGP-Key-ID: 0x265E 3662, plain text preferred c't - Magazin für Computertechnik www.ct.de Karl-Wiechert-Allee 10 D-30625 Hannover, Germany Phone +49 (0)511 5352 300 Fax +49 (0)511 5352 417 Heise Medien GmbH & Co. KG Registergericht: Amtsgericht Hannover HRA 26709 Persönlich haftende Gesellschafterin: Heise Medien Geschäftsführung GmbH Registergericht: Amtsgericht Hannover, HRB 60405 Geschäftsführer: Ansgar Heise, Dr. Alfons Schräder Katze 5e ___ Dnsmasq-discuss mailing list Dnsmasq-discuss@lists.thekelleys.org.uk http://lists.thekelleys.org.uk/mailman/listinfo/dnsmasq-discuss
Re: [Dnsmasq-discuss] DNSSEC: Answer for local hosts with AD flag set?
> FYI: The originator of this tweet just fessed up to me that it was a fake. I am talking to Marco now [1]. If this really was a fake, he's in trouble! -JP [1] https://twitter.com/jpmens/status/649980467928780800 ___ Dnsmasq-discuss mailing list Dnsmasq-discuss@lists.thekelleys.org.uk http://lists.thekelleys.org.uk/mailman/listinfo/dnsmasq-discuss
Re: [Dnsmasq-discuss] DNSSEC: Answer for local hosts with AD flag set?
Le jeudi 1 octobre 2015, 08:57:14 Ernst Ahlers a écrit : > > I guess the logic is that dnsmasq is the authoritative source for > > that data, so it doesn't need to validate it to know that it's > > real. > > Right, but obviously the solution is not as simple as setting AD. > > As for the background (sorry, since English is not my native tongue > I'm having trouble being verbose): > > A lot people around here (me included) use a well-known router brand > (Fritz!Boxen) which employs dnsmasq. The manufacturer (AVM) offers a > free dyndns service (myfritz.net). It not only answers for both > address types but for IPv6 also allows subdomains for hosts within > your dyndns domain. > > This is practical for accessing services like IMAP or Webdav(s) from > anywhere via the same domain name. Now asking the router for a host > from the local network will return the *external* IPv4 address and > the global IPv6 address. > > With IPv4 connections from the local network this obviously incurs a > performance penalty since the packets will have to traverse the > router's NAT. This might not be an issue with IMAP but definitely > with NAS access via Webdav(s) or SFTP. > > I submitted the idea of returning local IPv4 addresses for internal > queries to AVM. Their reply was that this will fail if they'd enable > DNSSEC for their dyndns service in the future. My knee-jerk reply > was to let dnsmasq set the AD flag for this kind of query. But as > per your explanations this is only half a solution. > > Do you think there's any chance to solve this correctly without > switching from dnsmasq to Unbound or the like? > > Best regards > > Ernst > Allow myself to be in. The interest is also that a domain is signed and used publicly (www, mx, imap with public internet addresses signed...) but that when you are in your network, the local dns (dnsmasq) gives your internal (nat, local) addresses instead, which are not signed. There, you will have conflicts between the two adresses. Allowing dnsmasq to sign (or give a proof of authenticity) would solve this problem, yet I am sure it is not easy. -- The file signature.asc is not attached to be read by you. It's a digital signature by GPG. If you want to know why I use it, and why you should as well, you can read my article there: http://www.22decembre.eu/2015/03/21/introduction-en/ signature.asc Description: This is a digitally signed message part. ___ Dnsmasq-discuss mailing list Dnsmasq-discuss@lists.thekelleys.org.uk http://lists.thekelleys.org.uk/mailman/listinfo/dnsmasq-discuss
Re: [Dnsmasq-discuss] DNSSEC: Answer for local hosts with AD flag set?
Thanks for chiming in Stephane, > Allowing dnsmasq to sign (or give a proof of authenticity) would solve this > problem, yet I am sure it is not easy. AFAIK there's no provision yet in dnsmasq for keeping signed domains. After all it was never intended to be a fully fledged DNS server. So the only viable option I see now would be switching to Unbound -- which AVM is unlikely to do IMHO. Have a nice weekend all around! Ernst -- Ernst Ahlers, Redakteur/Editor PGP-Key-ID: 0x265E 3662, plain text preferred c't - Magazin für Computertechnik www.ct.de Karl-Wiechert-Allee 10 D-30625 Hannover, Germany Phone +49 (0)511 5352 300 Fax +49 (0)511 5352 417 Heise Medien GmbH & Co. KG Registergericht: Amtsgericht Hannover HRA 26709 Persönlich haftende Gesellschafterin: Heise Medien Geschäftsführung GmbH Registergericht: Amtsgericht Hannover, HRB 60405 Geschäftsführer: Ansgar Heise, Dr. Alfons Schräder Katze 5e signature.asc Description: OpenPGP digital signature ___ Dnsmasq-discuss mailing list Dnsmasq-discuss@lists.thekelleys.org.uk http://lists.thekelleys.org.uk/mailman/listinfo/dnsmasq-discuss
Re: [Dnsmasq-discuss] DNSSEC: Answer for local hosts with AD flag set?
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 > I guess the logic is that dnsmasq is the authoritative source for > that data, so it doesn't need to validate it to know that it's > real. Right, but obviously the solution is not as simple as setting AD. As for the background (sorry, since English is not my native tongue I'm having trouble being verbose): A lot people around here (me included) use a well-known router brand (Fritz!Boxen) which employs dnsmasq. The manufacturer (AVM) offers a free dyndns service (myfritz.net). It not only answers for both address types but for IPv6 also allows subdomains for hosts within your dyndns domain. This is practical for accessing services like IMAP or Webdav(s) from anywhere via the same domain name. Now asking the router for a host from the local network will return the *external* IPv4 address and the global IPv6 address. With IPv4 connections from the local network this obviously incurs a performance penalty since the packets will have to traverse the router's NAT. This might not be an issue with IMAP but definitely with NAS access via Webdav(s) or SFTP. I submitted the idea of returning local IPv4 addresses for internal queries to AVM. Their reply was that this will fail if they'd enable DNSSEC for their dyndns service in the future. My knee-jerk reply was to let dnsmasq set the AD flag for this kind of query. But as per your explanations this is only half a solution. Do you think there's any chance to solve this correctly without switching from dnsmasq to Unbound or the like? Best regards Ernst - -- Ernst Ahlers, Redakteur/Editor PGP-Key-ID: 0x265E 3662, plain text preferred c't - Magazin für Computertechnik www.ct.de Karl-Wiechert-Allee 10 D-30625 Hannover, Germany Phone +49 (0)511 5352 300 Fax +49 (0)511 5352 417 Heise Medien GmbH & Co. KG Registergericht: Amtsgericht Hannover HRA 26709 Persönlich haftende Gesellschafterin: Heise Medien Geschäftsführung GmbH Registergericht: Amtsgericht Hannover, HRB 60405 Geschäftsführer: Ansgar Heise, Dr. Alfons Schräder Katze 5e -BEGIN PGP SIGNATURE- Version: GnuPG v2 iEYEARECAAYFAlYM2UoACgkQLOdj1iZeNmKxKwCgqYPPAXRRoCHHrx3O16YolNVH 33MAnRqdkPGuYij29NG5eaAP+oQZvGCh =L7j4 -END PGP SIGNATURE- ___ Dnsmasq-discuss mailing list Dnsmasq-discuss@lists.thekelleys.org.uk http://lists.thekelleys.org.uk/mailman/listinfo/dnsmasq-discuss
