* [ISSUE] dnsmasq needs to be built with DNSSEC support
@ 2024-06-20 17:48 uhohspaghetios
2024-06-23 11:08 ` dnsmasq: enable DNSSEC build option by default piekay
` (5 more replies)
0 siblings, 6 replies; 10+ messages in thread
From: uhohspaghetios @ 2024-06-20 17:48 UTC (permalink / raw)
To: ml
[-- Attachment #1: Type: text/plain, Size: 724 bytes --]
New issue by uhohspaghetios on void-packages repository
https://github.com/void-linux/void-packages/issues/50904
Description:
I see no reason dnsmasq should not be built with DNSSEC support.
https://www.icann.org/resources/pages/dnssec-what-is-it-why-important-2019-03-05-en
At present even when forwarding DNS requests to, for example, 9.9.9.9 or 1.1.1.1 caching nameservers with DNSSEC support, the result on the local network is no DNSSEC protection.
For example, if you try to get an IP using dig or any other method of dnssec-failed.org, it should not return a ping because the DNSSEC is signed with an invalid key. If your system returns an IP address for this domain name, you are at risk of DNS poisoning.
^ permalink raw reply [flat|nested] 10+ messages in thread
* Re: dnsmasq: enable DNSSEC build option by default
2024-06-20 17:48 [ISSUE] dnsmasq needs to be built with DNSSEC support uhohspaghetios
@ 2024-06-23 11:08 ` piekay
2024-06-26 13:53 ` uhohspaghetios
` (4 subsequent siblings)
5 siblings, 0 replies; 10+ messages in thread
From: piekay @ 2024-06-23 11:08 UTC (permalink / raw)
To: ml
[-- Attachment #1: Type: text/plain, Size: 356 bytes --]
New comment by piekay on void-packages repository
https://github.com/void-linux/void-packages/issues/50904#issuecomment-2184946211
Comment:
Dnsmasq is already being compiled with DNSSEC support. It just isn't enabled by default. See #41786. I am not entirely sure if it's worth it to enable DNSSEC by default and potentially breaking somebodys workflow
^ permalink raw reply [flat|nested] 10+ messages in thread
* Re: dnsmasq: enable DNSSEC build option by default
2024-06-20 17:48 [ISSUE] dnsmasq needs to be built with DNSSEC support uhohspaghetios
2024-06-23 11:08 ` dnsmasq: enable DNSSEC build option by default piekay
@ 2024-06-26 13:53 ` uhohspaghetios
2024-06-26 13:53 ` uhohspaghetios
` (3 subsequent siblings)
5 siblings, 0 replies; 10+ messages in thread
From: uhohspaghetios @ 2024-06-26 13:53 UTC (permalink / raw)
To: ml
[-- Attachment #1: Type: text/plain, Size: 912 bytes --]
New comment by uhohspaghetios on void-packages repository
https://github.com/void-linux/void-packages/issues/50904#issuecomment-2191766843
Comment:
I am going to disagree with you there. I get this error when setting the dnssec option in dnsmasq.conf
`% doas dnsmasq -u dnsmasq -g dnsmasq
dnsmasq: unsupported option (check that dnsmasq was compiled with DHCP/TFTP/DNSSEC/DBus support) at line 6 of /usr/share/dnsmasq/trust-anchors.conf`
My dnsmasq.conf file:
`conf-file=/usr/share/dnsmasq/trust-anchors.conf
dnssec
strict-order
no-resolv
server=::1#53000
listen-address=::1
no-dhcp-interface=::1
bind-interfaces
no-hosts
cache-size=1000`
I took a look at the template file. I see the build option to build with DNSSEC support, but apparently that is not happening.
From the template:
`build_options="dnssec"
desc_option_dnssec="Enable DNSSEC support via nettle"`
^ permalink raw reply [flat|nested] 10+ messages in thread
* Re: dnsmasq: enable DNSSEC build option by default
2024-06-20 17:48 [ISSUE] dnsmasq needs to be built with DNSSEC support uhohspaghetios
2024-06-23 11:08 ` dnsmasq: enable DNSSEC build option by default piekay
2024-06-26 13:53 ` uhohspaghetios
@ 2024-06-26 13:53 ` uhohspaghetios
2024-06-26 13:54 ` uhohspaghetios
` (2 subsequent siblings)
5 siblings, 0 replies; 10+ messages in thread
From: uhohspaghetios @ 2024-06-26 13:53 UTC (permalink / raw)
To: ml
[-- Attachment #1: Type: text/plain, Size: 916 bytes --]
New comment by uhohspaghetios on void-packages repository
https://github.com/void-linux/void-packages/issues/50904#issuecomment-2191766843
Comment:
I am going to disagree with you there. I get this error when setting the dnssec option in dnsmasq.conf
> % doas dnsmasq -u dnsmasq -g dnsmasq
>
> dnsmasq: unsupported option (check that dnsmasq was compiled with DHCP/TFTP/DNSSEC/DBus support) at line 6 of /usr/share/dnsmasq/trust-anchors.conf
My dnsmasq.conf file:
`conf-file=/usr/share/dnsmasq/trust-anchors.conf
dnssec
strict-order
no-resolv
server=::1#53000
listen-address=::1
no-dhcp-interface=::1
bind-interfaces
no-hosts
cache-size=1000`
I took a look at the template file. I see the build option to build with DNSSEC support, but apparently that is not happening.
From the template:
`build_options="dnssec"
desc_option_dnssec="Enable DNSSEC support via nettle"`
^ permalink raw reply [flat|nested] 10+ messages in thread
* Re: dnsmasq: enable DNSSEC build option by default
2024-06-20 17:48 [ISSUE] dnsmasq needs to be built with DNSSEC support uhohspaghetios
` (2 preceding siblings ...)
2024-06-26 13:53 ` uhohspaghetios
@ 2024-06-26 13:54 ` uhohspaghetios
2024-06-26 14:05 ` classabbyamp
2024-06-26 15:23 ` [ISSUE] [CLOSED] " classabbyamp
5 siblings, 0 replies; 10+ messages in thread
From: uhohspaghetios @ 2024-06-26 13:54 UTC (permalink / raw)
To: ml
[-- Attachment #1: Type: text/plain, Size: 983 bytes --]
New comment by uhohspaghetios on void-packages repository
https://github.com/void-linux/void-packages/issues/50904#issuecomment-2191766843
Comment:
I am going to disagree with you there. I get this error when setting the dnssec option in dnsmasq.conf
> % doas dnsmasq -u dnsmasq -g dnsmasq
>
> dnsmasq: unsupported option (check that dnsmasq was compiled with DHCP/TFTP/DNSSEC/DBus support) at line 6 of /usr/share/dnsmasq/trust-anchors.conf
My dnsmasq.conf file:
> conf-file=/usr/share/dnsmasq/trust-anchors.conf
> dnssec
> strict-order
> no-resolv
> server=::1#53000
> listen-address=::1
> no-dhcp-interface=::1
> bind-interfaces
> no-hosts
> cache-size=1000
I took a look at the template file. I see the build option to build with DNSSEC support, but apparently that is not happening.
From the template:
> build_options="dnssec"
> desc_option_dnssec="Enable DNSSEC support via nettle"
What calls that build option to be set?
^ permalink raw reply [flat|nested] 10+ messages in thread
* Re: dnsmasq: enable DNSSEC build option by default
2024-06-20 17:48 [ISSUE] dnsmasq needs to be built with DNSSEC support uhohspaghetios
` (3 preceding siblings ...)
2024-06-26 13:54 ` uhohspaghetios
@ 2024-06-26 14:05 ` classabbyamp
2024-06-26 15:23 ` [ISSUE] [CLOSED] " classabbyamp
5 siblings, 0 replies; 10+ messages in thread
From: classabbyamp @ 2024-06-26 14:05 UTC (permalink / raw)
To: ml
[-- Attachment #1: Type: text/plain, Size: 206 bytes --]
New comment by classabbyamp on void-packages repository
https://github.com/void-linux/void-packages/issues/50904#issuecomment-2191800918
Comment:
https://github.com/void-linux/void-packages#build-options
^ permalink raw reply [flat|nested] 10+ messages in thread
* Re: [ISSUE] [CLOSED] dnsmasq: enable DNSSEC build option by default
2024-06-20 17:48 [ISSUE] dnsmasq needs to be built with DNSSEC support uhohspaghetios
` (4 preceding siblings ...)
2024-06-26 14:05 ` classabbyamp
@ 2024-06-26 15:23 ` classabbyamp
5 siblings, 0 replies; 10+ messages in thread
From: classabbyamp @ 2024-06-26 15:23 UTC (permalink / raw)
To: ml
[-- Attachment #1: Type: text/plain, Size: 727 bytes --]
Closed issue by uhohspaghetios on void-packages repository
https://github.com/void-linux/void-packages/issues/50904
Description:
I see no reason dnsmasq should not be built with DNSSEC support.
https://www.icann.org/resources/pages/dnssec-what-is-it-why-important-2019-03-05-en
At present even when forwarding DNS requests to, for example, 9.9.9.9 or 1.1.1.1 caching nameservers with DNSSEC support, the result on the local network is no DNSSEC protection.
For example, if you try to get an IP using dig or any other method of dnssec-failed.org, it should not return a ping because the DNSSEC is signed with an invalid key. If your system returns an IP address for this domain name, you are at risk of DNS poisoning.
^ permalink raw reply [flat|nested] 10+ messages in thread
* [PR PATCH] dnsmasq: enable dnssec build option by default
@ 2023-01-21 21:49 rvighne
2023-02-12 20:39 ` rvighne
` (2 more replies)
0 siblings, 3 replies; 10+ messages in thread
From: rvighne @ 2023-01-21 21:49 UTC (permalink / raw)
To: ml
[-- Attachment #1: Type: text/plain, Size: 755 bytes --]
There is a new pull request by rvighne against master on the void-packages repository
https://github.com/rvighne/void-packages dnsmasq/enable-dnssec
https://github.com/void-linux/void-packages/pull/41786
dnsmasq: enable dnssec build option by default
#### Testing the changes
- I tested the changes in this PR: **YES**
#### Local build testing
- I built this PR locally for my native architecture, x86_64-musl
#### Notes
I uncommented these lines in `/etc/dnsmasq.conf`;
```
conf-file=/usr/share/dnsmasq/trust-anchors.conf
dnssec
```
Logs show it worked:
```
DNSSEC validation enabled
configured with trust anchor for <root> keytag 20326
```
A patch file from https://github.com/void-linux/void-packages/pull/41786.patch is attached
[-- Warning: decoded text below may be mangled, UTF-8 assumed --]
[-- Attachment #2: github-pr-dnsmasq/enable-dnssec-41786.patch --]
[-- Type: text/x-diff, Size: 969 bytes --]
From 38e1e3b10a427d631541cef5f58b95d6baf8a351 Mon Sep 17 00:00:00 2001
From: Rohit Vighne <rohit.vighne@gmail.com>
Date: Fri, 20 Jan 2023 21:19:53 -0500
Subject: [PATCH] dnsmasq: enable dnssec build option by default
---
srcpkgs/dnsmasq/template | 3 +++
1 file changed, 3 insertions(+)
diff --git a/srcpkgs/dnsmasq/template b/srcpkgs/dnsmasq/template
index ce8536b96140..df39285ca940 100644
--- a/srcpkgs/dnsmasq/template
+++ b/srcpkgs/dnsmasq/template
@@ -16,6 +16,7 @@ system_accounts="dnsmasq"
dnsmasq_homedir="/var/chroot"
build_options="dnssec"
+build_options_default="dnssec"
desc_option_dnssec="Enable DNSSEC support via nettle"
do_build() {
@@ -31,6 +32,8 @@ do_install() {
make PREFIX=/usr BINDIR=/usr/bin DESTDIR=${DESTDIR} install
vsv dnsmasq
+ vsconf dnsmasq.conf.example dnsmasq.conf
vconf dnsmasq.conf.example dnsmasq.conf
vinstall ${FILESDIR}/dbus.conf 644 etc/dbus-1/system.d
+ vinstall trust-anchors.conf 644 usr/share/dnsmasq
}
^ permalink raw reply [flat|nested] 10+ messages in thread
* Re: dnsmasq: enable dnssec build option by default
2023-01-21 21:49 [PR PATCH] dnsmasq: enable dnssec " rvighne
@ 2023-02-12 20:39 ` rvighne
2023-03-12 21:01 ` rvighne
2023-06-11 2:09 ` github-actions
2 siblings, 0 replies; 10+ messages in thread
From: rvighne @ 2023-02-12 20:39 UTC (permalink / raw)
To: ml
[-- Attachment #1: Type: text/plain, Size: 328 bytes --]
New comment by rvighne on void-packages repository
https://github.com/void-linux/void-packages/pull/41786#issuecomment-1427127356
Comment:
Not sure why this PR is being ignored; can I get a code review on this? @ahesford @paper42 since I see you most recently modified this file. @pullmoll since you added this build option.
^ permalink raw reply [flat|nested] 10+ messages in thread
* Re: dnsmasq: enable dnssec build option by default
2023-01-21 21:49 [PR PATCH] dnsmasq: enable dnssec " rvighne
2023-02-12 20:39 ` rvighne
@ 2023-03-12 21:01 ` rvighne
2023-06-11 2:09 ` github-actions
2 siblings, 0 replies; 10+ messages in thread
From: rvighne @ 2023-03-12 21:01 UTC (permalink / raw)
To: ml
[-- Attachment #1: Type: text/plain, Size: 1708 bytes --]
New comment by rvighne on void-packages repository
https://github.com/void-linux/void-packages/pull/41786#issuecomment-1465298617
Comment:
> Don't ping people just because they touched a template. We're a small, volunteer group without strict procedures for review and acceptance. People get to things when they get to them. When somebody comes along that has an interest in this package and in your change to the default build options, that person will likely comment or merge the changes.
Understood. Though I don't see how a new contributor could tell the difference between "reviewers have seen this but they're busy so they'll get to it eventually" and "there's something wrong with this PR so nobody's reviewing it".
> I have no idea whether enabling this option by default will break somebody's workflow. You show that the option works when you enable it, but offer no comments about what impact this change might have in existing users.
This option enables a feature that is disabled by default unless you have `dnssec` in the config file. It's not possible that someone already had this option enabled and their dnsmasq instance will suddenly start to behave differently, because non-dnssec-capable builds of dnsmasq will fail to start up if given that flag.
Enabling the dnssec build option also has the side effect of adding `nettle` as a dependency, which is tiny (600KB).
Also, it's pretty unlikely in 2023 that you would want to set up a DNS resolver that ignores DNSSEC. I don't know if Void has any guidelines for this type of thing, but having secure defaults (and not making users build their own package just to get a basic security feature) seems like a good idea to me.
^ permalink raw reply [flat|nested] 10+ messages in thread
* Re: dnsmasq: enable dnssec build option by default
2023-01-21 21:49 [PR PATCH] dnsmasq: enable dnssec " rvighne
2023-02-12 20:39 ` rvighne
2023-03-12 21:01 ` rvighne
@ 2023-06-11 2:09 ` github-actions
2 siblings, 0 replies; 10+ messages in thread
From: github-actions @ 2023-06-11 2:09 UTC (permalink / raw)
To: ml
[-- Attachment #1: Type: text/plain, Size: 305 bytes --]
New comment by github-actions[bot] on void-packages repository
https://github.com/void-linux/void-packages/pull/41786#issuecomment-1585973935
Comment:
Pull Requests become stale 90 days after last activity and are closed 14 days after that. If this pull request is still relevant bump it or assign it.
^ permalink raw reply [flat|nested] 10+ messages in thread
end of thread, other threads:[~2024-06-26 15:23 UTC | newest]
Thread overview: 10+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2024-06-20 17:48 [ISSUE] dnsmasq needs to be built with DNSSEC support uhohspaghetios
2024-06-23 11:08 ` dnsmasq: enable DNSSEC build option by default piekay
2024-06-26 13:53 ` uhohspaghetios
2024-06-26 13:53 ` uhohspaghetios
2024-06-26 13:54 ` uhohspaghetios
2024-06-26 14:05 ` classabbyamp
2024-06-26 15:23 ` [ISSUE] [CLOSED] " classabbyamp
-- strict thread matches above, loose matches on Subject: below --
2023-01-21 21:49 [PR PATCH] dnsmasq: enable dnssec " rvighne
2023-02-12 20:39 ` rvighne
2023-03-12 21:01 ` rvighne
2023-06-11 2:09 ` github-actions
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).