[Dnsmasq-discuss] [PATCH] Treat records signed using unknown algorithms as unsigned instead of bogus
Michał Kępień
michal.kepien at nask.pl
Mon Dec 21 14:21:12 GMT 2015
> > A useful test subject for these issues is the caint.su zone, which
> > uses two keys, each using a different algorithm (RSA and ECC-GOST)
> > and also provides three separate hashes of each of those keys in
> > its parent zone. Using this zone as an example for the reasoning
> > above, it shouldn't be considered insecure just because we don't
> > understand GOST hashes and/or signing.
> >
>
> I just checked in code that behaves well in this case. This is making
> real progress: thanks for your assistance.
Well, thanks to you for doing all the heavy lifting. It's been a fun
ride.
I did some preliminary tests on the latest master and things are looking
good. If I find any glitches, I'll report them.
The only remark I have this time is that it might be nice to also
include digest/signing algorithms in DS query logs. Seeing something
like this in your logs can be confusing:
reply caint.su is DS keytag 697
reply caint.su is DS keytag 697
reply caint.su is DS keytag 697 (not supported)
Instead, something like this could be written:
reply caint.su is DS keytag 697, algo 5, digest 1
reply caint.su is DS keytag 697, algo 5, digest 2
reply caint.su is DS keytag 697, algo 5, digest 3 (not supported)
It's just a thought, though.
--
Best regards,
Michał Kępień
More information about the Dnsmasq-discuss
mailing list