[Dnsmasq-discuss] [PATCH] Treat records signed using unknown algorithms as unsigned instead of bogus

Michał Kępień michal.kepien at nask.pl
Mon Dec 21 14:21:12 GMT 2015


> > A useful test subject for these issues is the caint.su zone, which
> > uses two keys, each using a different algorithm (RSA and ECC-GOST)
> > and also provides three separate hashes of each of those keys in
> > its parent zone. Using this zone as an example for the reasoning
> > above, it shouldn't be considered insecure just because we don't
> > understand GOST hashes and/or signing.
> > 
> 
> I just checked in code that behaves well in this case. This is making
> real progress: thanks for your assistance.

Well, thanks to you for doing all the heavy lifting.  It's been a fun
ride.

I did some preliminary tests on the latest master and things are looking
good.  If I find any glitches, I'll report them.

The only remark I have this time is that it might be nice to also
include digest/signing algorithms in DS query logs.  Seeing something
like this in your logs can be confusing:

    reply caint.su is DS keytag 697
    reply caint.su is DS keytag 697
    reply caint.su is DS keytag 697 (not supported)

Instead, something like this could be written:

    reply caint.su is DS keytag 697, algo 5, digest 1
    reply caint.su is DS keytag 697, algo 5, digest 2
    reply caint.su is DS keytag 697, algo 5, digest 3 (not supported)

It's just a thought, though.

-- 
Best regards,
Michał Kępień



More information about the Dnsmasq-discuss mailing list