<html><head></head><body style="zoom: 0%;"><div dir="auto"><snip><br><br></div>
<div dir="auto">The use case is as follows:<br><br></div>
<div dir="auto">1) Query for a record.<br></div>
<div dir="auto">2) Response is a CNAME which is valid but unsigned, but points to a record that is signed<br></div>
<div dir="auto">3) Code checks unsigned and is happy with that (verifying NSEC)<br></div>
<div dir="auto">4) Code checks CNAME and is happy with that (verifying the RRset)<br></div>
<div dir="auto">5) Final validation sees a secure response in the answer set when the sigcnt for the response is 0 (because the CNAME was unsigned) and returns BOGUS<br><br></div>
<div dir="auto">The correct response here should be to return an INSECURE response (throwing away the secure check for the forwarded domain). One could argue it’s not worth validating the CNAME target if it isn’t signed itself… That’s an alternative, but we might as well make it as hard for the attacker as possible I suppose?<br><br></div>
<div dir="auto"></snip><br></div>
<div class="gmail_quote" >On 15 Apr 2022, at 08:55, Geert Stappers <<a href="mailto:stappers@stappers.nl" target="_blank">stappers@stappers.nl</a>> wrote:<blockquote class="gmail_quote" style="margin: 0pt 0pt 0pt 0.8ex; border-left: 1px solid rgb(204, 204, 204); padding-left: 1ex;">
<pre class="blue">On Fri, Apr 15, 2022 at 12:19:55AM +0100, Chris Staite via Dnsmasq-discuss wrote:<br><blockquote class="gmail_quote" style="margin: 0pt 0pt 1ex 0.8ex; border-left: 1px solid #729fcf; padding-left: 1ex;"> Hi again again,<br> <br> I realised it was even easier than that. This time I am done and<br> going to bed though, so no more spam from me (at least tonight anyway).<br></blockquote><br>I when woke up, I did see three messages from same author about dnssec.<br>Only one message was openened (the other two got marked as read)<br> <br><blockquote class="gmail_quote" style="margin: 0pt 0pt 1ex 0.8ex; border-left: 1px solid #729fcf; padding-left: 1ex;"> This time I actually fixed an issue with my simplified version in so<br> much as it was able to circumvent the unsigned check of the parent<br> from the target of the CNAME if the CNAME came after the A record in<br> the response, which was bad. This stops that from happening, which<br> is good. It does require the CNAME to come before the A record, but<br> I think that’s required in the standard anyway? If it doesn’t,<br> well then at least it’s better than it was before.<br> <br> Once again, please see previous for reasoning behind the patch.<br></blockquote><br>Please add the reason to the proposed patch.<br> <br><br><blockquote class="gmail_quote" style="margin: 0pt 0pt 1ex 0.8ex; border-left: 1px solid #729fcf; padding-left: 1ex;"> Thanks, Chris.<br> <br></blockquote><br>Groeten<br>Geert Stappers</pre></blockquote></div></body></html>