Redesign the interaction between DNSSEC vaildation and per-domain servers.

This should just work in all cases now. If the normal chain-of-trust exists into the delegated domain then whether the domain is signed or not, DNSSEC validation will function normally. In the case the delgated domain is an "overlay" on top of the global DNS and no NS and/or DS records exist connecting it to the global dns, then if the domain is unsigned the situation will be handled by synthesising a proof-of-non-existance-of-DS for the domain and queries will be answered unvalidated; this action will be logged. A signed domain without chain-of-trust can be validated if a suitable trust-anchor is provided using --trust-anchor. Thanks to Uwe Kleine-König for prompting this change, and contributing valuable insights into what could be improved.
2025-12-19 10:18:25 +00:00 · 2025-02-02 20:28:54 +00:00
parent 3e659bd4ec
commit 57f0489f38
9 changed files with 126 additions and 75 deletions
--- a/src/dnsmasq.c
+++ b/src/dnsmasq.c
@@ -930,7 +930,8 @@ int main (int argc, char **argv)
 	my_syslog(LOG_INFO, _("DNSSEC signature timestamps not checked until system time valid"));

      for (ds = daemon->ds; ds; ds = ds->next)
-	my_syslog(LOG_INFO, _("configured with trust anchor for %s keytag %u"),
+	my_syslog(LOG_INFO,
+		  ds->digestlen == 0 ? _("configured with negative trust anchor for %s") : _("configured with trust anchor for %s keytag %u"),
 		  ds->name[0] == 0 ? "<root>" : ds->name, ds->keytag);
    }
 #endif