DNSSEC passthrough support in dnsmasq
Affects | Status | Importance | Assigned to | Milestone | |
---|---|---|---|---|---|
network-manager (Ubuntu) |
Fix Released
|
High
|
Mathieu Trudel-Lapierre |
Bug Description
I just noticed that Network Manager isn't using --proxy-dnssec for the local resolver.
Using this option is important for environments where the client (firefox or similar) is actively checking for the DNSSEC flags.
From dnsmasq's man page:
A resolver on a client machine can do DNSSEC validation in two ways: it
can perform the cryptograhic operations on the reply it receives, or it
can rely on the upstream recursive nameserver to do the validation and
set a bit in the reply if it succeeds. Dnsmasq is not a DNSSEC valida‐
tor, so it cannot perform the validation role of the recursive name‐
only do this if you trust all the configured upstream nameservers and
the network between you and them. If you use the first DNSSEC mode,
As our dnsmasq should be as transparent as possible to the user, I believe doing dnssec passthrough is the right thing and will be important for some of our users.
Changed in network-manager (Ubuntu): | |
status: | New → In Progress |
importance: | Undecided → High |
assignee: | nobody → Mathieu Trudel-Lapierre (mathieu-tl) |
Yes, we should probably turn this on by default.
I'm kind of curious why dnsmasq makes this an option that they don't turn on by default though...