[Dnsmasq-discuss] [PATCH] Treat records signed using unknown algorithms as unsigned instead of bogus

Simon Kelley simon at thekelleys.org.uk
Sun Dec 20 21:40:12 GMT 2015


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256



On 18/12/15 13:22, Michał Kępień wrote:

> A useful test subject for these issues is the caint.su zone, which
> uses two keys, each using a different algorithm (RSA and ECC-GOST)
> and also provides three separate hashes of each of those keys in
> its parent zone. Using this zone as an example for the reasoning
> above, it shouldn't be considered insecure just because we don't
> understand GOST hashes and/or signing.
> 

I just checked in code that behaves well in this case. This is making
real progress: thanks for your assistance.

>> That's a good point. The problem is that Nettle supports
>> introspection for hash functions, but not public-key signatures.
>> algo_digest_name() uses the introspection, but it doesn't tell
>> you that algorithms 13 and 14 are not available because ECC is
>> not available. Hence I added the #ifdef NO_NETTLE_ECC, which
>> should encompass 12. Even that's not right, because 12 needs
>> ECC-GOST, which isn't implemented. The canonical place for this
>> information is actually verify(): it knows which algorithms are
>> OK. I've fixed the code to do that.  A digest is supported if
>> it's in the switch in algo_digest_name() AND supported by the
>> current Nettle. A signature algo is supported if it's in the 
>> switch in verify_func(). That has to be kept up-to-date with
>> Nettle's capabilities.
> 
> Thanks, as I already stated above, this fixed quite some of the
> problems I observed.
> 

I extended this to include a function defining known NSEC3 hash
functions. There's only one at the moment, but now we're prepared!
(and in the case that a validator doesn't support an NSEC3 hash
function, we're told by RFC 5155 8.1 to return BOGUS.


Cheers,

Simon.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2.0.22 (GNU/Linux)

iQIcBAEBCAAGBQJWdyA8AAoJEBXN2mrhkTWim2kP/R11VavCpYX8e++BlW5UslzQ
QUrEMoQTXterMBE/rExnWdlkcpdsvdA+LjA6OhfbdDEgvoAljzgL9L7eAk3aA6M/
yjUcuebcqiNPT/tRcbfuJUSwLZZuh57RQqNVMkmUvAhdgc02BTgzxq9i2vUFrkLT
qnO9RoHoOwDIySmUbtphUWTR1MpE9OBZUjJnL7UFGy17S5WYf5+I30t173L42xwY
G09YGFAthw9JQxuBV6n2w5U9C50X8A/5wBDcxCv2SVzG6g8fUxjelgmlRk4rBnxi
WaimNHZCLSGbyVdRntsBjAzFhzxTod3hcCh4PFgZLJgmorA8e8wzXFvrX4mtjuwA
Bz2c/+qX9jFhXe6oOdSvGgUKV8ViOcvSuYDmj3KR5VmPenwYJ17G2uNde/mXEVw2
61hpb7E3gRYFlVKWFdEk60NYPuYOF3yLt1Y7EQzZ9WbU65QaQdP55z5pX4Br2KDs
RbQK3D0ntn40eFBHZS3ieo4G0WAYEhaNw+v8qsFtfls5zKlVFtErF1wAFTUBe7kp
AdAO5yNCNbSKU7w3ULUFpljuuEe+4wt9w4Qu2unc4yNLji6v6oFNJ2q1U/bkz7I3
JCHoF7iyznrSdttQjpgfgrv2QZr1K8iizyBf/xeak+BmuL1girasYwEBzr4Uug4e
QNbFh0rTIaA0CwUUfbcj
=WJCY
-----END PGP SIGNATURE-----



More information about the Dnsmasq-discuss mailing list