[Dnsmasq-discuss] RSA/SHA1-NSEC3-SHA1 signature bug?

Simon Kelley simon at thekelleys.org.uk
Sat Jan 3 15:35:26 GMT 2015


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

Given the available information,

http://thekelleys.org.uk/gitweb/?p=dnsmasq.git;a=commit;h=094b5c3d904bae9aeb3206d9f3b8348926b84975

would be a very likely candidate to fix the crash problem. If that
doesn't do it it would be really good to find a way to reproduce the
problem.



Cheers,

Simon.

On 02/01/15 09:42, Michael Tremer wrote:
> Hello Simon,
> 
> thanks for looking into this. Unfortunately I did not have enough
> time to look into that last year.
> 
> Whilst writing this, I am building a version of dnsmasq 2.72 with
> some patches from the git repository. I also hope that these will
> fix this problem that we are experiencing with lots installations: 
> https://bugzilla.ipfire.org/show_bug.cgi?id=10607
> 
> It will take me a couple of days to confirm if the crash is gone,
> so please stay tuned for that. I will also try to encourage some of
> our users in testing this pre-release.
> 
> If that would be of any help, I can try setting up a domain that
> signs its records by using that algorithm.
> 
> -Michael
> 
> On Tue, 2014-12-23 at 16:02 +0000, Simon Kelley wrote:
>> I just looked at this. Simon's  stripeyc.at is now working for
>> me. I don't think I found any problems with 2.72 on that one
>> though.
>> 
>> The domain mentioned in the ipfire thread
>> (formation.ent-liberscol.fr) definitely found a bug in dnsmasq
>> (combination of NSEC3 and wildcards.) I think that's all fixed in
>> the current git HEAD / 2.73test2. Michael, please could you
>> confirm, and pass this back to the ipfire list?
>> 
>> Cheers,
>> 
>> Simon.
>> 
>> 
>> On 22/10/14 22:37, Simon Gebler wrote:
>>> Sorry if I sounded rude or anything. Have a safe journey!
>>> 
>>> On October 22, 2014 11:20:35 PM CEST, Simon Kelley 
>>> <simon at thekelleys.org.uk> wrote:
>>>> On 21/10/14 15:24, SiGe wrote:
>>>>> I experienced that problem myself, posted about it on the 
>>>>> mailing
>>>> list
>>>>> a few days ago. At least it happens on my domain that has
>>>>> both a SHA-1 AND 256 hash. I'm experiencing it with the
>>>>> version currently shipped in the current stable OpenWRT
>>>>> version.
>>>>> 
>>>>> So you're not alone there. Too bad my other post was 
>>>>> unacknowledged
>>>> so far :/
>>>> 
>>>> Apologies for the lack of acknowledgement. I'm currently
>>>> very busy and traveling. Getting to where I have available
>>>> time _and_ a good cellphone signal is tricky, and I have a
>>>> huge email backlog to crawl out from. I'll look at this as
>>>> soon as I can.
>>>> 
>>>> 
>>>> Cheers,
>>>> 
>>>> Simon.
>>>> 
>>>>> 
>>>>> ~ Simon
>>>>> 
>>>>> On October 21, 2014 3:11:10 PM CEST, Michael Tremer 
>>>>> <michael.tremer at ipfire.org> wrote:
>>>>>> 
>>>>>> Hello fellow dnsmasq users,
>>>>>> 
>>>>>> there is a topic on the IPFire support forums I would
>>>>>> like to point
>>>> you
>>>>>> to:
>>>>>> 
>>>>>> http://forum.ipfire.org/index.php?topic=11726.0
>>>>>> 
>>>>>> It appears that dnsmasq cannot verify resource records of
>>>>>> a DNSSEC-enabled domain. That domain uses
>>>>>> RSA/SHA1-NSEC3-SHA1 for its signatures. Although there is
>>>>>> some code in dnsmasq that is supposed
>>>> to
>>>>>> handle this, it does not verify the records correctly.
>>>>>> 
>>>>>> Did anyone else experience this problem? Is it a bug
>>>>>> with dnsmasq or
>>>> the
>>>>>> authoritative name servers of that domain?
>>>>>> 
>>>>>> Best, -Michael
>>>>>> 
>>>>>> ________________________________
>>>>>> 
>>>>>> Dnsmasq-discuss mailing list 
>>>>>> Dnsmasq-discuss at lists.thekelleys.org.uk 
>>>>>> http://lists.thekelleys.org.uk/mailman/listinfo/dnsmasq-discuss
>>>>>
>>>>>
>>>>>>
>>
>>>>>> 
_______________________________________________
>>>>> Dnsmasq-discuss mailing list 
>>>>> Dnsmasq-discuss at lists.thekelleys.org.uk 
>>>>> http://lists.thekelleys.org.uk/mailman/listinfo/dnsmasq-discuss
>>>>>
>>>
>>>>>
>>>
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1

iQIcBAEBCAAGBQJUqAw2AAoJEBXN2mrhkTWidSwP/i4ySGACFeW+jxjxZWcBgun/
piNaQ/LsF7W+Kk6s/vULTZoH1liWYas9sRQ5VCJe4N0LXU5g1r3YnmtlNcWf4Y1u
cphddUov/tm+Vu8yJTIsfmMpI1137ebC5zhk6tM2WwDzN79gtboxQoB6NlS8K64E
NIm7zvIOmWqioT4pYnBNh3CWA8e7mD4Xez36SIoOXyTv+8+guc6y6DSbScLM9IfB
qbi98rcYHcHvWP4ns+C7mJD+69sHfT0gN2meFmhQyQQBrP+tl9iwIC+EZRZ4dVuk
7orl6GRt8HE6/HvRJYxAlF8tG3y/8AeeKS3VNk+ggZr/HOPwln661NRfa3/myTTQ
cDno1GYpPyC2xVBk6z4pYgGI/tl+/p/TQbegI6PhvMDm3vDOJfGoybEeJ0psLM2g
tjdEsIvihWv06pvQkin6A+e6Vqy+C2C8JS94sptB/azOqBwG3uuAvRTX57pI0Ro3
SPF+wOpKGZNSvZ0GPPwkZTZxgfBcL0E021mjRfgoUr0nQDd1p2NUxwoeX38jbj7/
LkYzctmXaY5KZ9CcEpz7DkLroNTaHiFIW8Lxrnco8D5xNg8cd7YYAA+lvHK1HAql
AD1svb390Kd9zjxz7AGvabcPYqvcvqFmt0QRGd09nrwmx+kEQNFV0gW0DmvkBXj6
jtAuAFVnm03/e48JKbD/
=KyRR
-----END PGP SIGNATURE-----



More information about the Dnsmasq-discuss mailing list