[Dnsmasq-discuss] RSA/SHA1-NSEC3-SHA1 signature bug?

Simon Kelley simon at thekelleys.org.uk
Wed Oct 22 22:20:35 BST 2014


On 21/10/14 15:24, SiGe wrote:
> I experienced that problem myself, posted about it on the mailing list
> a few days ago.
> At least it happens on my domain that has both a SHA-1 AND 256 hash.
> I'm experiencing it with the version currently shipped in the current
> stable OpenWRT version.
> 
> So you're not alone there. Too bad my other post was unacknowledged so far :/

Apologies for the lack of acknowledgement. I'm currently very busy and
traveling. Getting to where I have available time _and_ a good cellphone
signal is tricky, and I have a huge email backlog to crawl out from.
I'll look at this as soon as I can.


Cheers,

Simon.

> 
> ~ Simon
> 
> On October 21, 2014 3:11:10 PM CEST, Michael Tremer
> <michael.tremer at ipfire.org> wrote:
>>
>> Hello fellow dnsmasq users,
>>
>> there is a topic on the IPFire support forums I would like to point you
>> to:
>>
>>   http://forum.ipfire.org/index.php?topic=11726.0
>>
>> It appears that dnsmasq cannot verify resource records of a
>> DNSSEC-enabled domain. That domain uses RSA/SHA1-NSEC3-SHA1 for its
>> signatures. Although there is some code in dnsmasq that is supposed to
>> handle this, it does not verify the records correctly.
>>
>> Did anyone else experience this problem? Is it a bug with dnsmasq or the
>> authoritative name servers of that domain?
>>
>> Best,
>> -Michael
>>
>> ________________________________
>>
>> Dnsmasq-discuss mailing list
>> Dnsmasq-discuss at lists.thekelleys.org.uk
>> http://lists.thekelleys.org.uk/mailman/listinfo/dnsmasq-discuss
> 
> _______________________________________________
> Dnsmasq-discuss mailing list
> Dnsmasq-discuss at lists.thekelleys.org.uk
> http://lists.thekelleys.org.uk/mailman/listinfo/dnsmasq-discuss
> 




More information about the Dnsmasq-discuss mailing list