dnsmasq 不检查 dnssec

dnsmasq 不检查 dnssec

我使用的是 Ubuntu 14.04.2 LTS。NetworkManager 使用 --proxy-dnssec 选项启动 dnsmasq。但是:

$ dig @127.0.1.1 dnssec-failed.org
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 62850
...
dnssec-failed.org.  5573    IN  A   69.252.80.75
...

知道为什么会发生这种情况吗?

谢谢

答案1

您读过吗man dnsmasq?部分内容如下:

   --proxy-dnssec
          A  resolver  on a client machine can do DNSSEC validation in two
          ways: it can perform the cryptograhic operations on the reply it
          receives, or it can rely on the upstream recursive nameserver to
          do the validation and set a bit in the  reply  if  it  succeeds.
          Dnsmasq  is  not  a  DNSSEC  validator, so it cannot perform the
          validation role of the recursive nameserver,  but  it  can  pass
          through   the   validation   results   from   its  own  upstream
          nameservers. This option enables this behaviour. You should only
          do this if you trust all the configured upstream nameservers and
          the network between you and them.  If you use the  first  DNSSEC
          mode,  validating  resolvers  in  clients,  this  option  is not
          required. Dnsmasq always returns  all  the  data  needed  for  a
          client to do validation itself.

因此看起来您的上游解析器没有通过验证结果。

在我的系统上(YMMV):

w3@aardvark:~(0)$ dig @127.0.1.1 dnssec-failed.org

; <<>> DiG 9.9.5-3ubuntu0.8-Ubuntu <<>> @127.0.1.1 dnssec-failed.org
; (1 server found)
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: SERVFAIL, id: 55446
;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 4096
;; QUESTION SECTION:
;dnssec-failed.org.     IN  A

;; Query time: 871 msec
;; SERVER: 127.0.1.1#53(127.0.1.1)
;; WHEN: Thu Apr 28 18:17:59 EDT 2016
;; MSG SIZE  rcvd: 46

w3@aardvark:~(0)$ dpkg -l dnsmasq\*
Desired=Unknown/Install/Remove/Purge/Hold
| Status=Not/Inst/Conf-files/Unpacked/halF-conf/Half-inst/trig-aWait/Trig-pend
|/ Err?=(none)/Reinst-required (Status,Err: uppercase=bad)
||/ Name                                 Version                 Architecture            Description
+++-====================================-=======================-=======================-=============================================================================
un  dnsmasq                              <none>                  <none>                  (no description available)
ii  dnsmasq-base                         2.68-1ubuntu0.1         amd64                   Small caching DNS proxy and DHCP/TFTP server
w3@aardvark:~(0)$ 

相关内容