Roman Maeder
2016-11-14 12:19:54 UTC
There was a discussion 3 years ago about the AD flag with proxy-dnssec,
http://lists.thekelleys.org.uk/pipermail/dnsmasq-discuss/2013q4/007881.html
Now, I seem to see the opposite behaviour. With proxy-dnssec set, answers from the cache are missing
the AD flag, even it was present on the first reply for a name not yet in the cache.
The first "dig +ad sigok.verteiltesysteme.net", for example, gives me the AD flag:
; <<>> DiG 9.9.5-9+deb8u8-Debian <<>> +dnssec +noadditional sigok.verteiltesysteme.net
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 56545
;; flags: qr rd ra ad; QUERY: 1, ANSWER: 2, AUTHORITY: 3, ADDITIONAL: 9
A few seconds later, the same query returns
; <<>> DiG 9.9.5-9+deb8u8-Debian <<>> +ad +noadditional sigok.verteiltesysteme.net
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 41386
;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 1
and this continues as long as the cache is used.
When I disable the cache, I always get the AD flag as expected.
The way I use dnsmasq is with NetworkManager, so that it can handle DNS servers for domains
that should go via VPN, and sends everything else upstream to my local validating server
(pfSense with unbound). Any queries sent directly to it always return the AD flag if appropriate.
The version is from Debian dnsmasq-base, 2.72-3+deb8u
cmdline args from NetworkManager:
/usr/sbin/dnsmasq --no-resolv --keep-in-foreground --no-hosts
--bind-interfaces --pid-file=/var/run/NetworkManager/dnsmasq.pid
--listen-address=127.0.0.1
--conf-file=/var/run/NetworkManager/dnsmasq.conf --cache-size=400
--proxy-dnssec --conf-dir=/etc/NetworkManager/dnsmasq.d
Roman
http://lists.thekelleys.org.uk/pipermail/dnsmasq-discuss/2013q4/007881.html
Now, I seem to see the opposite behaviour. With proxy-dnssec set, answers from the cache are missing
the AD flag, even it was present on the first reply for a name not yet in the cache.
The first "dig +ad sigok.verteiltesysteme.net", for example, gives me the AD flag:
; <<>> DiG 9.9.5-9+deb8u8-Debian <<>> +dnssec +noadditional sigok.verteiltesysteme.net
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 56545
;; flags: qr rd ra ad; QUERY: 1, ANSWER: 2, AUTHORITY: 3, ADDITIONAL: 9
A few seconds later, the same query returns
; <<>> DiG 9.9.5-9+deb8u8-Debian <<>> +ad +noadditional sigok.verteiltesysteme.net
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 41386
;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 1
and this continues as long as the cache is used.
When I disable the cache, I always get the AD flag as expected.
The way I use dnsmasq is with NetworkManager, so that it can handle DNS servers for domains
that should go via VPN, and sends everything else upstream to my local validating server
(pfSense with unbound). Any queries sent directly to it always return the AD flag if appropriate.
The version is from Debian dnsmasq-base, 2.72-3+deb8u
cmdline args from NetworkManager:
/usr/sbin/dnsmasq --no-resolv --keep-in-foreground --no-hosts
--bind-interfaces --pid-file=/var/run/NetworkManager/dnsmasq.pid
--listen-address=127.0.0.1
--conf-file=/var/run/NetworkManager/dnsmasq.conf --cache-size=400
--proxy-dnssec --conf-dir=/etc/NetworkManager/dnsmasq.d
Roman