http://bugzilla.opensuse.org/show_bug.cgi?id=1192282
http://bugzilla.opensuse.org/show_bug.cgi?id=1192282#c3
Reinhard Max changed:
What |Removed |Added
----------------------------------------------------------------------------
Status|NEW |RESOLVED
Resolution|--- |INVALID
--- Comment #3 from Reinhard Max ---
This is intended behaviour due to the change of the default for
--dnssec-check-unsigned in version 2.80. To restore the old insecure behavior
you can set
dnssec-check-unsigned=no
--- snip ---
--dnssec-check-unsigned[=no]
As a default, dnsmasq checks that unsigned DNS
replies are legitimate: this entails possible extra
queries even for the majority of DNS zones which are
not, at the moment, signed. If --dnssec-check-un-
signed=no appears in the configuration, then such
replies they are assumed to be valid and passed on
(without the "authentic data" bit set, of course).
This does not protect against an attacker forging un-
signed replies for signed DNS zones, but it is fast.
Versions of dnsmasq prior to 2.80 defaulted to not
checking unsigned replies, and used --dnssec-check-
unsigned to switch this on. Such configurations will
continue to work as before, but those which used the
default of no checking will need to be altered to ex-
plicitly select no checking. The new default is be-
cause switching off checking for unsigned replies is
inherently dangerous. Not only does it open the pos-
siblity of forged replies, but it allows everything
to appear to be working even when the upstream name-
severs do not support DNSSEC, and in this case no
DNSSEC validation at all is occurring.
--- snap ---
--
You are receiving this mail because:
You are on the CC list for the bug.