[Dnsmasq-discuss] RSA/SHA1-NSEC3-SHA1 signature bug?

Simon Kelley simon at thekelleys.org.uk
Tue Dec 23 16:02:43 GMT 2014


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

I just looked at this. Simon's  stripeyc.at is now working for me. I
don't think I found any problems with 2.72 on that one though.

The domain mentioned in the ipfire thread (formation.ent-liberscol.fr)
definitely found a bug in dnsmasq (combination of NSEC3 and
wildcards.) I think that's all fixed in the current git HEAD /
2.73test2. Michael, please could you confirm, and pass this back to
the ipfire list?

Cheers,

Simon.


On 22/10/14 22:37, Simon Gebler wrote:
> Sorry if I sounded rude or anything. Have a safe journey!
> 
> On October 22, 2014 11:20:35 PM CEST, Simon Kelley
> <simon at thekelleys.org.uk> wrote:
>> On 21/10/14 15:24, SiGe wrote:
>>> I experienced that problem myself, posted about it on the
>>> mailing
>> list
>>> a few days ago. At least it happens on my domain that has both
>>> a SHA-1 AND 256 hash. I'm experiencing it with the version
>>> currently shipped in the current stable OpenWRT version.
>>> 
>>> So you're not alone there. Too bad my other post was
>>> unacknowledged
>> so far :/
>> 
>> Apologies for the lack of acknowledgement. I'm currently very
>> busy and traveling. Getting to where I have available time _and_
>> a good cellphone signal is tricky, and I have a huge email
>> backlog to crawl out from. I'll look at this as soon as I can.
>> 
>> 
>> Cheers,
>> 
>> Simon.
>> 
>>> 
>>> ~ Simon
>>> 
>>> On October 21, 2014 3:11:10 PM CEST, Michael Tremer 
>>> <michael.tremer at ipfire.org> wrote:
>>>> 
>>>> Hello fellow dnsmasq users,
>>>> 
>>>> there is a topic on the IPFire support forums I would like to
>>>> point
>> you
>>>> to:
>>>> 
>>>> http://forum.ipfire.org/index.php?topic=11726.0
>>>> 
>>>> It appears that dnsmasq cannot verify resource records of a 
>>>> DNSSEC-enabled domain. That domain uses RSA/SHA1-NSEC3-SHA1
>>>> for its signatures. Although there is some code in dnsmasq
>>>> that is supposed
>> to
>>>> handle this, it does not verify the records correctly.
>>>> 
>>>> Did anyone else experience this problem? Is it a bug with
>>>> dnsmasq or
>> the
>>>> authoritative name servers of that domain?
>>>> 
>>>> Best, -Michael
>>>> 
>>>> ________________________________
>>>> 
>>>> Dnsmasq-discuss mailing list 
>>>> Dnsmasq-discuss at lists.thekelleys.org.uk 
>>>> http://lists.thekelleys.org.uk/mailman/listinfo/dnsmasq-discuss
>>>
>>>
>>>> 
_______________________________________________
>>> Dnsmasq-discuss mailing list 
>>> Dnsmasq-discuss at lists.thekelleys.org.uk 
>>> http://lists.thekelleys.org.uk/mailman/listinfo/dnsmasq-discuss
>>>
>
>>> 
> 
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1

iQIcBAEBCAAGBQJUmZIcAAoJEBXN2mrhkTWibZgP/AuOa4q7zZFZiy7TZoKaxYGH
dNswWF3ucyCQVDiM7Byj6gAUlD7pOZEvNkETDvEppFAp1NuCafU9Q8ig0fv9VrFq
r2aDlKstRg3WHRClCBB5x+H59CreQRZeCUO4b275+VBCAYXVmXlwJxb81P1o8TRV
hx6TQ1mvexulN7wGLRq5YQzufJ4wbFCq4j5TntvBhVHqpHz5ORpmgV1ZRfH/zs8I
UGFNuvn1NFerXI8xmTB30AhxNT85QzKKlFb6bQwMjKrsOFBs03EM17ly8sKbEEuL
YK6nh37VEWAS9LdFxVX0UTA6+PDU/aebuTJirqO2cOeUSr26PTsgbZUwMTViRSP9
SI5kr0wLaVjRfDgyo3GuoX7tXx+9ntcCVIttzMCtzsd09EvK0vDf2ZSq84pmkU/y
3JxLkt2tgZ7KogZm/i+sOYtcGXnYLLeiyLhMXIz6QZvp45M3zrXmlDnY0+rHFezV
nlG540G7i+s9n1p+Ii66G0IbuRzRyIhhEiNJIW/u1LO+GP3IoNsQb2r5EXZ2VCY5
re9FcTEg/FsDRW8nRWJilrrf2X+n0JLVb8XzUSj2JuFM9OfWdouOQsray2/fO7Pa
T7HhMnFO5jjHkByVyfExxqLDHELnVd+aUZ1e2vzxPdCUoKKiR/bxNBHh3rFZrFOh
ND7acrh57J48ZI2fqln2
=jDjA
-----END PGP SIGNATURE-----



More information about the Dnsmasq-discuss mailing list