dnsmasq 不检查 dnssec

Question

您读过吗man dnsmasq？部分内容如下：

   --proxy-dnssec
          A  resolver  on a client machine can do DNSSEC validation in two
          ways: it can perform the cryptograhic operations on the reply it
          receives, or it can rely on the upstream recursive nameserver to
          do the validation and set a bit in the  reply  if  it  succeeds.
          Dnsmasq  is  not  a  DNSSEC  validator, so it cannot perform the
          validation role of the recursive nameserver,  but  it  can  pass
          through   the   validation   results   from   its  own  upstream
          nameservers. This option enables this behaviour. You should only
          do this if you trust all the configured upstream nameservers and
          the network between you and them.  If you use the  first  DNSSEC
          mode,  validating  resolvers  in  clients,  this  option  is not
          required. Dnsmasq always returns  all  the  data  needed  for  a
          client to do validation itself.

因此看起来您的上游解析器没有通过验证结果。

在我的系统上（YMMV）：

w3@aardvark:~(0)$ dig @127.0.1.1 dnssec-failed.org

; <<>> DiG 9.9.5-3ubuntu0.8-Ubuntu <<>> @127.0.1.1 dnssec-failed.org
; (1 server found)
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: SERVFAIL, id: 55446
;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 4096
;; QUESTION SECTION:
;dnssec-failed.org.     IN  A

;; Query time: 871 msec
;; SERVER: 127.0.1.1#53(127.0.1.1)
;; WHEN: Thu Apr 28 18:17:59 EDT 2016
;; MSG SIZE  rcvd: 46

w3@aardvark:~(0)$ dpkg -l dnsmasq\*
Desired=Unknown/Install/Remove/Purge/Hold
| Status=Not/Inst/Conf-files/Unpacked/halF-conf/Half-inst/trig-aWait/Trig-pend
|/ Err?=(none)/Reinst-required (Status,Err: uppercase=bad)
||/ Name                                 Version                 Architecture            Description
+++-====================================-=======================-=======================-=============================================================================
un  dnsmasq                              <none>                  <none>                  (no description available)
ii  dnsmasq-base                         2.68-1ubuntu0.1         amd64                   Small caching DNS proxy and DHCP/TFTP server
w3@aardvark:~(0)$

Answer 1

您读过吗man dnsmasq？部分内容如下：

   --proxy-dnssec
          A  resolver  on a client machine can do DNSSEC validation in two
          ways: it can perform the cryptograhic operations on the reply it
          receives, or it can rely on the upstream recursive nameserver to
          do the validation and set a bit in the  reply  if  it  succeeds.
          Dnsmasq  is  not  a  DNSSEC  validator, so it cannot perform the
          validation role of the recursive nameserver,  but  it  can  pass
          through   the   validation   results   from   its  own  upstream
          nameservers. This option enables this behaviour. You should only
          do this if you trust all the configured upstream nameservers and
          the network between you and them.  If you use the  first  DNSSEC
          mode,  validating  resolvers  in  clients,  this  option  is not
          required. Dnsmasq always returns  all  the  data  needed  for  a
          client to do validation itself.

因此看起来您的上游解析器没有通过验证结果。

在我的系统上（YMMV）：

w3@aardvark:~(0)$ dig @127.0.1.1 dnssec-failed.org

; <<>> DiG 9.9.5-3ubuntu0.8-Ubuntu <<>> @127.0.1.1 dnssec-failed.org
; (1 server found)
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: SERVFAIL, id: 55446
;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 4096
;; QUESTION SECTION:
;dnssec-failed.org.     IN  A

;; Query time: 871 msec
;; SERVER: 127.0.1.1#53(127.0.1.1)
;; WHEN: Thu Apr 28 18:17:59 EDT 2016
;; MSG SIZE  rcvd: 46

w3@aardvark:~(0)$ dpkg -l dnsmasq\*
Desired=Unknown/Install/Remove/Purge/Hold
| Status=Not/Inst/Conf-files/Unpacked/halF-conf/Half-inst/trig-aWait/Trig-pend
|/ Err?=(none)/Reinst-required (Status,Err: uppercase=bad)
||/ Name                                 Version                 Architecture            Description
+++-====================================-=======================-=======================-=============================================================================
un  dnsmasq                              <none>                  <none>                  (no description available)
ii  dnsmasq-base                         2.68-1ubuntu0.1         amd64                   Small caching DNS proxy and DHCP/TFTP server
w3@aardvark:~(0)$

dnsmasq 不检查 dnssec

答案1

相关内容