What | Removed | Added |
---|---|---|
Status | NEW | RESOLVED |
Resolution | --- | INVALID |
This is intended behaviour due to the change of the default for --dnssec-check-unsigned in version 2.80. To restore the old insecure behavior you can set dnssec-check-unsigned=no --- snip --- --dnssec-check-unsigned[=no] As a default, dnsmasq checks that unsigned DNS replies are legitimate: this entails possible extra queries even for the majority of DNS zones which are not, at the moment, signed. If --dnssec-check-un- signed=no appears in the configuration, then such replies they are assumed to be valid and passed on (without the "authentic data" bit set, of course). This does not protect against an attacker forging un- signed replies for signed DNS zones, but it is fast. Versions of dnsmasq prior to 2.80 defaulted to not checking unsigned replies, and used --dnssec-check- unsigned to switch this on. Such configurations will continue to work as before, but those which used the default of no checking will need to be altered to ex- plicitly select no checking. The new default is be- cause switching off checking for unsigned replies is inherently dangerous. Not only does it open the pos- siblity of forged replies, but it allows everything to appear to be working even when the upstream name- severs do not support DNSSEC, and in this case no DNSSEC validation at all is occurring. --- snap ---