Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Provide dnssec capabilities #28

Closed
bjmi opened this issue Oct 23, 2020 · 4 comments · Fixed by #30
Closed

Provide dnssec capabilities #28

bjmi opened this issue Oct 23, 2020 · 4 comments · Fixed by #30

Comments

@bjmi
Copy link
Contributor

bjmi commented Oct 23, 2020

andyshinn/dnsmasq:latest doesn't provide dnssec validation supported by dnsmasq.

$ docker run --rm andyshinn/dnsmasq:latest dnsmasq -v
Dnsmasq version 2.81  Copyright (c) 2000-2020 Simon Kelley
Compile time options: IPv6 GNU-getopt no-DBus no-UBus no-i18n no-IDN DHCP DHCPv6 no-Lua TFTP no-conntrack ipset auth no-DNSSEC loop-detect inotify dumpfile

Please consider switching to dnsmasq-dnssec package or can you provide another dnssec flavored image? TIA!
Btw: dnsmasq 2.82 is available too.
@andyshinn
Copy link
Contributor

Are there features that would change or be lost from switching to the dnsmasq-dnssec package?

@bjmi
Copy link
Contributor Author

bjmi commented Oct 27, 2020 

$ docker run --rm -it alpine:3.12 sh -c "apk add dnsmasq-dnssec; /usr/sbin/dnsmasq -v"
fetch http://dl-cdn.alpinelinux.org/alpine/v3.12/main/x86_64/APKINDEX.tar.gz
fetch http://dl-cdn.alpinelinux.org/alpine/v3.12/community/x86_64/APKINDEX.tar.gz
(1/3) Installing gmp (6.2.0-r0)
(2/3) Installing nettle (3.5.1-r1)
(3/3) Installing dnsmasq-dnssec (2.81-r0)
Executing dnsmasq-dnssec-2.81-r0.pre-install
Executing busybox-1.31.1-r19.trigger
OK: 7 MiB in 17 packages
Dnsmasq version 2.81  Copyright (c) 2000-2020 Simon Kelley
Compile time options: IPv6 GNU-getopt no-DBus no-UBus no-i18n no-IDN DHCP DHCPv6 no-Lua TFTP no-conntrack ipset auth DNSSEC loop-detect inotify dumpfile

The compile options
IPv6 GNU-getopt no-DBus no-UBus no-i18n no-IDN DHCP DHCPv6 no-Lua TFTP no-conntrack ipset auth DNSSEC loop-detect inotify dumpfile
and
IPv6 GNU-getopt no-DBus no-UBus no-i18n no-IDN DHCP DHCPv6 no-Lua TFTP no-conntrack ipset auth no-DNSSEC loop-detect inotify dumpfile
differs in DNSSEC and no-DNSSEC only.

I checked the content of both apks and the configuration files are identical.

@andyshinn
Copy link
Contributor

Are you able to open a pull request for this? I think we could add it to master branch and I can create a edge tag you can try until we release a new version. That way it can get some testing to make sure it doesn't affect other stuff. I don't know if the addition could affect latency or something like that.

@bjmi bjmi mentioned this issue Nov 14, 2020
Merged
@bjmi
Copy link
Contributor Author

bjmi commented Nov 14, 2020

DNSSEC validation is disabled by default therefore it shouldn't affect existing configurations and can be activated as follows:

dnssec
conf-file=/usr/share/dnsmasq/trust-anchors.conf

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging a pull request may close this issue.

Use dnsmasq package with dnssec support
2 participants
@andyshinn @bjmi