[Dnsmasq-discuss] RSA/SHA1-NSEC3-SHA1 signature bug?
simon at thekelleys.org.uk
Tue Dec 23 16:02:43 GMT 2014
-----BEGIN PGP SIGNED MESSAGE-----
I just looked at this. Simon's stripeyc.at is now working for me. I
don't think I found any problems with 2.72 on that one though.
The domain mentioned in the ipfire thread (formation.ent-liberscol.fr)
definitely found a bug in dnsmasq (combination of NSEC3 and
wildcards.) I think that's all fixed in the current git HEAD /
2.73test2. Michael, please could you confirm, and pass this back to
the ipfire list?
On 22/10/14 22:37, Simon Gebler wrote:
> Sorry if I sounded rude or anything. Have a safe journey!
> On October 22, 2014 11:20:35 PM CEST, Simon Kelley
> <simon at thekelleys.org.uk> wrote:
>> On 21/10/14 15:24, SiGe wrote:
>>> I experienced that problem myself, posted about it on the
>>> a few days ago. At least it happens on my domain that has both
>>> a SHA-1 AND 256 hash. I'm experiencing it with the version
>>> currently shipped in the current stable OpenWRT version.
>>> So you're not alone there. Too bad my other post was
>> so far :/
>> Apologies for the lack of acknowledgement. I'm currently very
>> busy and traveling. Getting to where I have available time _and_
>> a good cellphone signal is tricky, and I have a huge email
>> backlog to crawl out from. I'll look at this as soon as I can.
>>> ~ Simon
>>> On October 21, 2014 3:11:10 PM CEST, Michael Tremer
>>> <michael.tremer at ipfire.org> wrote:
>>>> Hello fellow dnsmasq users,
>>>> there is a topic on the IPFire support forums I would like to
>>>> It appears that dnsmasq cannot verify resource records of a
>>>> DNSSEC-enabled domain. That domain uses RSA/SHA1-NSEC3-SHA1
>>>> for its signatures. Although there is some code in dnsmasq
>>>> that is supposed
>>>> handle this, it does not verify the records correctly.
>>>> Did anyone else experience this problem? Is it a bug with
>>>> dnsmasq or
>>>> authoritative name servers of that domain?
>>>> Best, -Michael
>>>> Dnsmasq-discuss mailing list
>>>> Dnsmasq-discuss at lists.thekelleys.org.uk
>>> Dnsmasq-discuss mailing list
>>> Dnsmasq-discuss at lists.thekelleys.org.uk
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1
-----END PGP SIGNATURE-----
More information about the Dnsmasq-discuss