I just pushed out a new 2.69 test release, which completes the DNSSEC
feature-set with NSEC3 secure denial of existence. Thanks go to Messrs
Hunt, Gieben and Mekking for guiding me through that swamp.
If you're interested in DNSSEC, please give this a spin.
I've just tagged 2.69test8, which has some significant fixes to the
DNSSEC code.
One thing to note: I've also completely changed the way the trust
anchors are specified, from DNSKEYS to DS records. If you're using the
trust-anchors.conf file I supply, this should be transparent, but if you
One thing to note: I've also completely changed the way the trust
anchors are specified, from DNSKEYS to DS records.
Very nice and, yes, it works. :)
All that's left is to find a way to obtain those securely when dnsmasq
starts up, somewhat in the way unbound-anchor(1) from Unbound does.
On 11/02/14 12:10, Jan-Piet Mens wrote:
One thing to note: I've also completely changed the way the trust
anchors are specified, from DNSKEYS to DS records.
Very nice and, yes, it works. :)
All that's left
I wish, I wish. NSEC3 is still lurking.
is to find a way to obtain those securely
Is unbound-anchor fairly stand-alone? Maybe run unbound-anchor and
then covert the format of the resulting trust-anchors file would be
a viable solution?
Fairly, yes, but: if people can run unbound-anchor they have Unbound, so
what would be the point of dnsmasq as a validator? ;-)
-JP