DNSSEC passthrough support in dnsmasq

Bug #946093 reported by Stéphane Graber on 2012-03-04
This bug affects 1 person
Affects Status Importance Assigned to Milestone
network-manager (Ubuntu)
Mathieu Trudel-Lapierre

Bug Description

I just noticed that Network Manager isn't using --proxy-dnssec for the local resolver.
Using this option is important for environments where the client (firefox or similar) is actively checking for the DNSSEC flags.

From dnsmasq's man page:
              A resolver on a client machine can do DNSSEC validation in two ways: it
              can perform the cryptograhic operations on the reply it receives, or it
              can rely on the upstream recursive nameserver to do the validation and
              set a bit in the reply if it succeeds. Dnsmasq is not a DNSSEC valida‐
              tor, so it cannot perform the validation role of the recursive name‐
              server, but it can pass through the validation results from its own
              upstream nameservers. This option enables this behaviour. You should
              only do this if you trust all the configured upstream nameservers and
              the network between you and them. If you use the first DNSSEC mode,
              validating resolvers in clients, this option is not required. Dnsmasq
              always returns all the data needed for a client to do validation

As our dnsmasq should be as transparent as possible to the user, I believe doing dnssec passthrough is the right thing and will be important for some of our users.

Marc Deslauriers (mdeslaur) wrote :

Yes, we should probably turn this on by default.

I'm kind of curious why dnsmasq makes this an option that they don't turn on by default though...

Changed in network-manager (Ubuntu):
status: New → In Progress
importance: Undecided → High
assignee: nobody → Mathieu Trudel-Lapierre (mathieu-tl)
Marc Deslauriers (mdeslaur) wrote :

Ah, the default must be when someone is using dnsmasq on a network, and not locally, so it makes sense to turn it on in our use case.

Launchpad Janitor (janitor) wrote :

This bug was fixed in the package network-manager -

network-manager ( precise; urgency=low

  * debian/patches/dnsmasq-dnssec-passthrough.patch: have dnsmasq proxy DNSSEC
    data; otherwise we'll get DNSSEC-enabled sites show as non-DNSSEC in
    browsers (which would be a regression from the behavior of the libc
    resolver). (LP: #946093)
 -- Mathieu Trudel-Lapierre <email address hidden> Mon, 05 Mar 2012 11:22:00 -0500

Changed in network-manager (Ubuntu):
status: In Progress → Fix Released
To post a comment you must log in.
This report contains Public information  Edit
Everyone can see this information.

Other bug subscribers