[Dnsmasq-discuss] RSA/SHA1-NSEC3-SHA1 signature bug?

Muell muell at ancientsound.de
Thu Jan 15 08:55:44 GMT 2015


Hi Simon,

/var/ipfire/red/resolv.conf:
nameserver 85.214.20.141
nameserver 213.73.91.35

These are the NS's of my Provider. Should i try (temporary) different 
ones, just
for a Test? Do you got any experience with the Google-NS's? Are they 
DNSSEC capable
and safe?

Thank you again.
--
Regards,

Olaf

Am 14.01.2015 um 18:10 schrieb Simon Kelley:
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
>
> Great, thanks, please could you send me the contents of
> /var/ipfire/red/resolv.conf as well?
>
>
> Cheers,
>
> Simon.
>
> BTW your trust anchor is the same as everybody else's. It's a public
> key, not a private key. The corresponding private key is very, very,
> secret and guarded very carefully by a small number of people. None of
> those people have all of the key, so they have to meet to use it.
>
>
> On 14/01/15 15:17, Muell wrote:
>> Hi Simon,
>>
>> i'm shure on IPFire there is no dnsmasq configuration file, it is
>> completely invoked by the commandline parameters in
>> /etc/init.d/dnsmasq. ps fxa says:
>>
>> [...] /usr/sbin/dnsmasq -l /var/state/dhcp/dhcpd.leases -r
>> /var/ipfire/red/resolv.conf --domain=zuhause.xx
>> --server=/zuhause.xx/192.168.1.254 --dnssec --log-queries
>> --trust-anchor=.,19036,8,2,49AAC11D7B6F6446702E54A1607371607A1A41855200FD2CE1CDDE32F24E8FB5
>>
>>
> - --cache-size=2500
>> [...] -- Regards, Olaf
>>
>> Am 14.01.2015 um 15:11 schrieb Simon Kelley: Thanks for that.
>> Sadly, neither of those domains provoke the crash for me, so it's
>> not that simple.
>>
>> What's the configuration? It's noticable that all the DNSSEC
>> queries are being sent twice to 85.214.20.141, and there's a retry
>> to 213.73.91.35. I can't immediately explain either of those
>> facts.
>>
>> Please could you send the dnsmasq configuration files, either to
>> the list, or to me direct if you don't want them to be public.
>>
>> Cheers,
>>
>> Simon.
>>
>>
>> On 14/01/15 12:28, Muell wrote:
>>>>> Hi Simon,
>>>>>
>>>>> it doesn't took a long time to get a hit. Here are the
>>>>> relevant last lines before the crash. I hope it will help.
>>>>> ==============================================================================================
>>>>>
>>>>>
>>>>>
>>>>>
>>>>>
>>>>>
> Jan 14 11:59:07 knox dnsmasq[26518]: forwarded bugzilla.ipfire.org
>>>>> to 85.214.20.141 Jan 14 11:59:07 knox dnsmasq[26518]:
>>>>> dnssec-query[DNSKEY] ipfire.org to 85.214.20.141 Jan 14
>>>>> 11:59:07 knox dnsmasq[26518]: dnssec-query[DNSKEY] ipfire.org
>>>>> to 85.214.20.141 Jan 14 11:59:07 knox dnsmasq[26518]:
>>>>> dnssec-query[DS] ipfire.org to 85.214.20.141 Jan 14 11:59:08
>>>>> knox dnsmasq[26518]: dnssec-query[DS] ipfire.org to
>>>>> 85.214.20.141 Jan 14 11:59:08 knox dnsmasq[26518]:
>>>>> dnssec-query[DNSKEY] org to 85.214.20.141 Jan 14 11:59:08
>>>>> knox dnsmasq[26518]: dnssec-query[DNSKEY] org to
>>>>> 85.214.20.141 Jan 14 11:59:08 knox dnsmasq[26518]:
>>>>> dnssec-query[DS] org to 85.214.20.141 Jan 14 11:59:08 knox
>>>>> dnsmasq[26518]: dnssec-query[DS] org to 85.214.20.141 Jan 14
>>>>> 11:59:08 knox dnsmasq[26518]: dnssec-query[DNSKEY] . to
>>>>> 85.214.20.141 Jan 14 11:59:08 knox dnsmasq[26518]:
>>>>> dnssec-query[DNSKEY] . to 85.214.20.141 Jan 14 11:59:08 knox
>>>>> dnsmasq[26518]: query[AAAA] ancientsound.de.zuhause.xx from
>>>>> 192.168.1.3 Jan 14 11:59:08 knox dnsmasq[26518]: dnssec retry
>>>>> to 213.73.91.35 Jan 14 11:59:12 knox dnsmasq[26518]: query[A]
>>>>> bugzilla.ipfire.org from 10.215.72.6 Jan 14 11:59:12 knox
>>>>> kernel: dnsmasq[26518]: segfault at 0 ip 0805c6d5 sp bba49a90
>>>>> error 4 in dnsmasq[8048000+30000] Jan 14 11:59:12 knox
>>>>> kernel: grsec: Segmentation fault occurred at (nil) in
>>>>> /usr/sbin/dnsmasq[dnsmasq:26518] uid/euid:99/99
>>>>> gid/egid:40/40, parent /sbin/init[init:1] uid/euid:0/0
>>>>> gid/egid:0/0 Jan 14 11:59:12 knox kernel: grsec: bruteforce
>>>>> prevention initiated due to crash of /usr/sbin/dnsmasq
>>>>> against uid 99, banning suid/sgid execs for 15 minutes.
>>>>> Please investigate the crash report for
>>>>> /usr/sbin/dnsmasq[dnsmasq:26518] uid/euid:99/99
>>>>> gid/egid:40/40, parent /sbin/init[init:1] uid/euid:0/0
>>>>> gid/egid:0/0
>>>>>
>>>>> ==============================================================================================
>>>>>
>>>>>
>>>>>
>>>>>
>>>>>
>>>>>
> Am 14.01.2015 um 12:14 schrieb Muell:
>>>>>> Hi Simon,
>>>>>>
>>>>>> i'm the one of the users Michael Tremer told of
>>>>>> (Segmetation faults on IPFire). I followed your hint and
>>>>>> activated "--log-queries", so we will (may be) see what the
>>>>>> problem is. Lucky me, the last few days dnsmasq runs for a
>>>>>> couple of hours, the last crash were last night at 04:03AM.
>>>>>> Unfortunally, i hadn't activated --log-queries.
>>>>>>
>>>>>> BTW: Sorry for writing this Mail out of the thread-context,
>>>>>> but i'd just subscribed a few minutes ago.
>>>>>>
>>>>>> -- Regards,
>>>>>>
>>>>>> Olaf
>>>>>>
>>>>>>
>>>>>> _______________________________________________
>>>>>> Dnsmasq-discuss mailing list
>>>>>> Dnsmasq-discuss at lists.thekelleys.org.uk
>>>>>> http://lists.thekelleys.org.uk/mailman/listinfo/dnsmasq-discuss
>>>>>
> _______________________________________________ Dnsmasq-discuss
>>>>> mailing list Dnsmasq-discuss at lists.thekelleys.org.uk
>>>>> http://lists.thekelleys.org.uk/mailman/listinfo/dnsmasq-discuss
>>>>>
>>>
> _______________________________________________
>>> Dnsmasq-discuss mailing list
>>> Dnsmasq-discuss at lists.thekelleys.org.uk
>>> http://lists.thekelleys.org.uk/mailman/listinfo/dnsmasq-discuss
>>
> -----BEGIN PGP SIGNATURE-----
> Version: GnuPG v1
>
> iEYEARECAAYFAlS2owcACgkQKPyGmiibgreD/wCfe6Slzd9omOx57pIWZH65Q8ir
> 3t0An35MVRMMuqVaxz1oGCFqjb2r8/s6
> =S5HE
> -----END PGP SIGNATURE-----




More information about the Dnsmasq-discuss mailing list