[Dnsmasq-discuss] [PATCH] Treat records signed using unknown algorithms as unsigned instead of bogus

[Simon Kelley]

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256



On 17/12/15 17:35, Simon Kelley wrote:

>> First and foremost, the primary issue of returning SERVFAILs for 
>> zones with DNSKEY RRsets signed using _only_ unknown algorithms 
>> (even though we are able to hash the DNSKEY RRset and
>> authenticate the DS at the parent) is not resolved.  Quick
>> example: if you try to resolve anything within a zone signed
>> using only ECC-GOST keys, with an SHA-256 DS at the parent,
>> SERVFAIL is still returned as dnssec_validate_by_ds() still
>> requires the validate_rrset() call for DNSKEY RRset to succeed
>> for it to return anything else than STAT_BOGUS.  In my patch
>> which started this thread I tried to demonstrate that if all
>> DNSKEY RRset validations fail only due to the lack of support for
>> the _signing_ algorithms used by its RRSIGs, the zone should be
>> marked as insecure, not bogus.
> 
> 
> Did you test this on a real domain and see a failure? The way it's 
> intended to work is that the call to zone_status() at line 2042
> will work down from the root to the DS, where it will find that the
> SHA-256 DS covers a ECC-GOST key and return STAT_INSECURE at line
> 1869. That will be returned from dnssec_validate_reply at line
> 2049, before the call to validate_rrset is even made.
> dnssec_validate_by_ds() should never be called.
> 
> An example of a domain that fails here would be really useful. I
> did testing by removing algorithms but as there are no rare
> algorithms it's difficult not to cause early failure of the process
> before the test case is reached.
> 
> 

More: the easiest way to test this is to use cloudflare zones, which
are signed using ECC. If I resolve www.ietf.org, which is a CNAME to
the cloudflare CDN, in dnsmasq I get a SECURE result. If I compile
dnsmasq with -DNO_NETTLE_ECC and repeat the test, I get in INSECURE
result. Looking good!


Cheers,

Simon.

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2.0.22 (GNU/Linux)

iQIcBAEBCAAGBQJWcvfAAAoJEBXN2mrhkTWihegP/RKFQL7mSGQmaNv0txsJHhlp
OKtME89gGlraWSCYBlLCaeFAa/pHMrvhiM9dd+OOvyoJa+3xCyMQRzoqj975fuy0
hO+B04lnoICFHr1QDhkGD4LAYuOD6O/8kJy9CqsyJjEoI50U5KF218xHCbS+T5B9
dGoUC6vseAjHyK18txlHv8hnk3DNs3lVvcG31T/hE+dIuuR4fR/AiIGH64fQXRxT
+NWbUSRIP4fzjKDZr11JSTVa/81XZki0MzKSPOqmIOQcKkXm4Y1v8bmwyyWv3ugz
JJzzEwN+M3+3lulGdwymSKDSgxMOMyfw2gX639b9qmTFMWbDXY7WE7/nfMwLGczi
NpBDVUChwPuUuimdh/BjyDOE+6I7rs3iD6IxIyWuCw7ZB487JCsy8S54EA3dFJd2
LVx651z9DxqAEnax5x/0erFQHyejBPTgGPXYZWZQp4ZQFzN8oyyJ2YD3H+zgT+7X
O64a0X7960YWpekLVmci5LDgyTavuWeu7S/D4Ex4xV0EssUOSA38IZGolRBKX8pw
w6BtOdqA7uY86GLcdri5dEVwQo/2hDp5KbrM9+XKsR+JCu9vzlZXEj03cLoY3+6d
ochH2jrU5i5/3396CMr/ncNUeIJPn9OJwalHtiqMHS87ambGQtrw8ktK2DjTtQGX
wjx0oU+8qvkmsRjeWkg6
=MZmi
-----END PGP SIGNATURE-----