[Dnsmasq-discuss] RSA/SHA1-NSEC3-SHA1 signature bug?

Michael Tremer michael.tremer at ipfire.org
Fri Jan 2 09:42:39 GMT 2015


Hello Simon,

thanks for looking into this. Unfortunately I did not have enough time
to look into that last year.

Whilst writing this, I am building a version of dnsmasq 2.72 with some
patches from the git repository. I also hope that these will fix this
problem that we are experiencing with lots installations:
https://bugzilla.ipfire.org/show_bug.cgi?id=10607

It will take me a couple of days to confirm if the crash is gone, so
please stay tuned for that. I will also try to encourage some of our
users in testing this pre-release.

If that would be of any help, I can try setting up a domain that signs
its records by using that algorithm.

-Michael

On Tue, 2014-12-23 at 16:02 +0000, Simon Kelley wrote:
> I just looked at this. Simon's  stripeyc.at is now working for me. I
> don't think I found any problems with 2.72 on that one though.
> 
> The domain mentioned in the ipfire thread (formation.ent-liberscol.fr)
> definitely found a bug in dnsmasq (combination of NSEC3 and
> wildcards.) I think that's all fixed in the current git HEAD /
> 2.73test2. Michael, please could you confirm, and pass this back to
> the ipfire list?
> 
> Cheers,
> 
> Simon.
> 
> 
> On 22/10/14 22:37, Simon Gebler wrote:
> > Sorry if I sounded rude or anything. Have a safe journey!
> > 
> > On October 22, 2014 11:20:35 PM CEST, Simon Kelley
> > <simon at thekelleys.org.uk> wrote:
> >> On 21/10/14 15:24, SiGe wrote:
> >>> I experienced that problem myself, posted about it on the
> >>> mailing
> >> list
> >>> a few days ago. At least it happens on my domain that has both
> >>> a SHA-1 AND 256 hash. I'm experiencing it with the version
> >>> currently shipped in the current stable OpenWRT version.
> >>> 
> >>> So you're not alone there. Too bad my other post was
> >>> unacknowledged
> >> so far :/
> >> 
> >> Apologies for the lack of acknowledgement. I'm currently very
> >> busy and traveling. Getting to where I have available time _and_
> >> a good cellphone signal is tricky, and I have a huge email
> >> backlog to crawl out from. I'll look at this as soon as I can.
> >> 
> >> 
> >> Cheers,
> >> 
> >> Simon.
> >> 
> >>> 
> >>> ~ Simon
> >>> 
> >>> On October 21, 2014 3:11:10 PM CEST, Michael Tremer 
> >>> <michael.tremer at ipfire.org> wrote:
> >>>> 
> >>>> Hello fellow dnsmasq users,
> >>>> 
> >>>> there is a topic on the IPFire support forums I would like to
> >>>> point
> >> you
> >>>> to:
> >>>> 
> >>>> http://forum.ipfire.org/index.php?topic=11726.0
> >>>> 
> >>>> It appears that dnsmasq cannot verify resource records of a 
> >>>> DNSSEC-enabled domain. That domain uses RSA/SHA1-NSEC3-SHA1
> >>>> for its signatures. Although there is some code in dnsmasq
> >>>> that is supposed
> >> to
> >>>> handle this, it does not verify the records correctly.
> >>>> 
> >>>> Did anyone else experience this problem? Is it a bug with
> >>>> dnsmasq or
> >> the
> >>>> authoritative name servers of that domain?
> >>>> 
> >>>> Best, -Michael
> >>>> 
> >>>> ________________________________
> >>>> 
> >>>> Dnsmasq-discuss mailing list 
> >>>> Dnsmasq-discuss at lists.thekelleys.org.uk 
> >>>> http://lists.thekelleys.org.uk/mailman/listinfo/dnsmasq-discuss
> >>>
> >>>
> >>>> 
> _______________________________________________
> >>> Dnsmasq-discuss mailing list 
> >>> Dnsmasq-discuss at lists.thekelleys.org.uk 
> >>> http://lists.thekelleys.org.uk/mailman/listinfo/dnsmasq-discuss
> >>>
> >
> >>> 
> > 
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 819 bytes
Desc: This is a digitally signed message part
URL: <http://lists.thekelleys.org.uk/pipermail/dnsmasq-discuss/attachments/20150102/ae4f2256/attachment.sig>


More information about the Dnsmasq-discuss mailing list