[Dnsmasq-discuss] RSA/SHA1-NSEC3-SHA1 signature bug?
Simon Kelley
simon at thekelleys.org.uk
Sat Jan 3 15:35:26 GMT 2015
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
Given the available information,
http://thekelleys.org.uk/gitweb/?p=dnsmasq.git;a=commit;h=094b5c3d904bae9aeb3206d9f3b8348926b84975
would be a very likely candidate to fix the crash problem. If that
doesn't do it it would be really good to find a way to reproduce the
problem.
Cheers,
Simon.
On 02/01/15 09:42, Michael Tremer wrote:
> Hello Simon,
>
> thanks for looking into this. Unfortunately I did not have enough
> time to look into that last year.
>
> Whilst writing this, I am building a version of dnsmasq 2.72 with
> some patches from the git repository. I also hope that these will
> fix this problem that we are experiencing with lots installations:
> https://bugzilla.ipfire.org/show_bug.cgi?id=10607
>
> It will take me a couple of days to confirm if the crash is gone,
> so please stay tuned for that. I will also try to encourage some of
> our users in testing this pre-release.
>
> If that would be of any help, I can try setting up a domain that
> signs its records by using that algorithm.
>
> -Michael
>
> On Tue, 2014-12-23 at 16:02 +0000, Simon Kelley wrote:
>> I just looked at this. Simon's stripeyc.at is now working for
>> me. I don't think I found any problems with 2.72 on that one
>> though.
>>
>> The domain mentioned in the ipfire thread
>> (formation.ent-liberscol.fr) definitely found a bug in dnsmasq
>> (combination of NSEC3 and wildcards.) I think that's all fixed in
>> the current git HEAD / 2.73test2. Michael, please could you
>> confirm, and pass this back to the ipfire list?
>>
>> Cheers,
>>
>> Simon.
>>
>>
>> On 22/10/14 22:37, Simon Gebler wrote:
>>> Sorry if I sounded rude or anything. Have a safe journey!
>>>
>>> On October 22, 2014 11:20:35 PM CEST, Simon Kelley
>>> <simon at thekelleys.org.uk> wrote:
>>>> On 21/10/14 15:24, SiGe wrote:
>>>>> I experienced that problem myself, posted about it on the
>>>>> mailing
>>>> list
>>>>> a few days ago. At least it happens on my domain that has
>>>>> both a SHA-1 AND 256 hash. I'm experiencing it with the
>>>>> version currently shipped in the current stable OpenWRT
>>>>> version.
>>>>>
>>>>> So you're not alone there. Too bad my other post was
>>>>> unacknowledged
>>>> so far :/
>>>>
>>>> Apologies for the lack of acknowledgement. I'm currently
>>>> very busy and traveling. Getting to where I have available
>>>> time _and_ a good cellphone signal is tricky, and I have a
>>>> huge email backlog to crawl out from. I'll look at this as
>>>> soon as I can.
>>>>
>>>>
>>>> Cheers,
>>>>
>>>> Simon.
>>>>
>>>>>
>>>>> ~ Simon
>>>>>
>>>>> On October 21, 2014 3:11:10 PM CEST, Michael Tremer
>>>>> <michael.tremer at ipfire.org> wrote:
>>>>>>
>>>>>> Hello fellow dnsmasq users,
>>>>>>
>>>>>> there is a topic on the IPFire support forums I would
>>>>>> like to point
>>>> you
>>>>>> to:
>>>>>>
>>>>>> http://forum.ipfire.org/index.php?topic=11726.0
>>>>>>
>>>>>> It appears that dnsmasq cannot verify resource records of
>>>>>> a DNSSEC-enabled domain. That domain uses
>>>>>> RSA/SHA1-NSEC3-SHA1 for its signatures. Although there is
>>>>>> some code in dnsmasq that is supposed
>>>> to
>>>>>> handle this, it does not verify the records correctly.
>>>>>>
>>>>>> Did anyone else experience this problem? Is it a bug
>>>>>> with dnsmasq or
>>>> the
>>>>>> authoritative name servers of that domain?
>>>>>>
>>>>>> Best, -Michael
>>>>>>
>>>>>> ________________________________
>>>>>>
>>>>>> Dnsmasq-discuss mailing list
>>>>>> Dnsmasq-discuss at lists.thekelleys.org.uk
>>>>>> http://lists.thekelleys.org.uk/mailman/listinfo/dnsmasq-discuss
>>>>>
>>>>>
>>>>>>
>>
>>>>>>
_______________________________________________
>>>>> Dnsmasq-discuss mailing list
>>>>> Dnsmasq-discuss at lists.thekelleys.org.uk
>>>>> http://lists.thekelleys.org.uk/mailman/listinfo/dnsmasq-discuss
>>>>>
>>>
>>>>>
>>>
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1
iQIcBAEBCAAGBQJUqAw2AAoJEBXN2mrhkTWidSwP/i4ySGACFeW+jxjxZWcBgun/
piNaQ/LsF7W+Kk6s/vULTZoH1liWYas9sRQ5VCJe4N0LXU5g1r3YnmtlNcWf4Y1u
cphddUov/tm+Vu8yJTIsfmMpI1137ebC5zhk6tM2WwDzN79gtboxQoB6NlS8K64E
NIm7zvIOmWqioT4pYnBNh3CWA8e7mD4Xez36SIoOXyTv+8+guc6y6DSbScLM9IfB
qbi98rcYHcHvWP4ns+C7mJD+69sHfT0gN2meFmhQyQQBrP+tl9iwIC+EZRZ4dVuk
7orl6GRt8HE6/HvRJYxAlF8tG3y/8AeeKS3VNk+ggZr/HOPwln661NRfa3/myTTQ
cDno1GYpPyC2xVBk6z4pYgGI/tl+/p/TQbegI6PhvMDm3vDOJfGoybEeJ0psLM2g
tjdEsIvihWv06pvQkin6A+e6Vqy+C2C8JS94sptB/azOqBwG3uuAvRTX57pI0Ro3
SPF+wOpKGZNSvZ0GPPwkZTZxgfBcL0E021mjRfgoUr0nQDd1p2NUxwoeX38jbj7/
LkYzctmXaY5KZ9CcEpz7DkLroNTaHiFIW8Lxrnco8D5xNg8cd7YYAA+lvHK1HAql
AD1svb390Kd9zjxz7AGvabcPYqvcvqFmt0QRGd09nrwmx+kEQNFV0gW0DmvkBXj6
jtAuAFVnm03/e48JKbD/
=KyRR
-----END PGP SIGNATURE-----
More information about the Dnsmasq-discuss
mailing list