[Dnsmasq-discuss] RSA/SHA1-NSEC3-SHA1 signature bug?
Michael Tremer
michael.tremer at ipfire.org
Fri Jan 2 09:42:39 GMT 2015
Hello Simon,
thanks for looking into this. Unfortunately I did not have enough time
to look into that last year.
Whilst writing this, I am building a version of dnsmasq 2.72 with some
patches from the git repository. I also hope that these will fix this
problem that we are experiencing with lots installations:
https://bugzilla.ipfire.org/show_bug.cgi?id=10607
It will take me a couple of days to confirm if the crash is gone, so
please stay tuned for that. I will also try to encourage some of our
users in testing this pre-release.
If that would be of any help, I can try setting up a domain that signs
its records by using that algorithm.
-Michael
On Tue, 2014-12-23 at 16:02 +0000, Simon Kelley wrote:
> I just looked at this. Simon's stripeyc.at is now working for me. I
> don't think I found any problems with 2.72 on that one though.
>
> The domain mentioned in the ipfire thread (formation.ent-liberscol.fr)
> definitely found a bug in dnsmasq (combination of NSEC3 and
> wildcards.) I think that's all fixed in the current git HEAD /
> 2.73test2. Michael, please could you confirm, and pass this back to
> the ipfire list?
>
> Cheers,
>
> Simon.
>
>
> On 22/10/14 22:37, Simon Gebler wrote:
> > Sorry if I sounded rude or anything. Have a safe journey!
> >
> > On October 22, 2014 11:20:35 PM CEST, Simon Kelley
> > <simon at thekelleys.org.uk> wrote:
> >> On 21/10/14 15:24, SiGe wrote:
> >>> I experienced that problem myself, posted about it on the
> >>> mailing
> >> list
> >>> a few days ago. At least it happens on my domain that has both
> >>> a SHA-1 AND 256 hash. I'm experiencing it with the version
> >>> currently shipped in the current stable OpenWRT version.
> >>>
> >>> So you're not alone there. Too bad my other post was
> >>> unacknowledged
> >> so far :/
> >>
> >> Apologies for the lack of acknowledgement. I'm currently very
> >> busy and traveling. Getting to where I have available time _and_
> >> a good cellphone signal is tricky, and I have a huge email
> >> backlog to crawl out from. I'll look at this as soon as I can.
> >>
> >>
> >> Cheers,
> >>
> >> Simon.
> >>
> >>>
> >>> ~ Simon
> >>>
> >>> On October 21, 2014 3:11:10 PM CEST, Michael Tremer
> >>> <michael.tremer at ipfire.org> wrote:
> >>>>
> >>>> Hello fellow dnsmasq users,
> >>>>
> >>>> there is a topic on the IPFire support forums I would like to
> >>>> point
> >> you
> >>>> to:
> >>>>
> >>>> http://forum.ipfire.org/index.php?topic=11726.0
> >>>>
> >>>> It appears that dnsmasq cannot verify resource records of a
> >>>> DNSSEC-enabled domain. That domain uses RSA/SHA1-NSEC3-SHA1
> >>>> for its signatures. Although there is some code in dnsmasq
> >>>> that is supposed
> >> to
> >>>> handle this, it does not verify the records correctly.
> >>>>
> >>>> Did anyone else experience this problem? Is it a bug with
> >>>> dnsmasq or
> >> the
> >>>> authoritative name servers of that domain?
> >>>>
> >>>> Best, -Michael
> >>>>
> >>>> ________________________________
> >>>>
> >>>> Dnsmasq-discuss mailing list
> >>>> Dnsmasq-discuss at lists.thekelleys.org.uk
> >>>> http://lists.thekelleys.org.uk/mailman/listinfo/dnsmasq-discuss
> >>>
> >>>
> >>>>
> _______________________________________________
> >>> Dnsmasq-discuss mailing list
> >>> Dnsmasq-discuss at lists.thekelleys.org.uk
> >>> http://lists.thekelleys.org.uk/mailman/listinfo/dnsmasq-discuss
> >>>
> >
> >>>
> >
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 819 bytes
Desc: This is a digitally signed message part
URL: <http://lists.thekelleys.org.uk/pipermail/dnsmasq-discuss/attachments/20150102/ae4f2256/attachment.sig>
More information about the Dnsmasq-discuss
mailing list