<html>
<head>
<meta http-equiv="Content-Type" content="text/html; charset=UTF-8">
</head>
<body>
<p>If you are not sure or you don't want to experiment here, you can
still include patch as attachment manually.</p>
<p>I don't use git send-email, but git format-patch -1. That creates
nice formatted patch file including timestamp, commit message and
sender. Then just attach that file and add [PATCH] to subject
manually. I have used that to send my patches so far. Would need
few more clicks, but the result should be the same and it is
simpler to get right.</p>
<p>Cheers,<br>
Petr<br>
</p>
<div class="moz-cite-prefix">On 4/15/22 14:43, Chris Staite via
Dnsmasq-discuss wrote:<br>
</div>
<blockquote type="cite"
cite="mid:917F5185-E15A-4DEE-A257-50BE0FF64D10@yourdreamnet.co.uk">I
just found out how to use git send-email as I’ve not used it
before. However, I still don’t think I’ve done it right?
<div class=""><br class="">
</div>
<div class="">Happy to take your advice here. I usually either
dump a patch from git or use a PR.</div>
<div class=""><br class="">
</div>
<div class="">Thanks, Chris.</div>
<div class=""><br class="">
<div><br class="">
<blockquote type="cite" class="">
<div class="">On 15 Apr 2022, at 11:26, Geert Stappers <<a
href="mailto:stappers@stappers.nl"
class="moz-txt-link-freetext" moz-do-not-send="true">stappers@stappers.nl</a>>
wrote:</div>
<br class="Apple-interchange-newline">
<div class=""><span class="">On Fri, Apr 15, 2022 at
09:20:47AM +0100, Chris via Dnsmasq-discuss wrote:</span><br
class="">
<blockquote type="cite" class="">On 15 Apr 2022, 08:55, at
08:55, Geert Stappers <<a
href="mailto:stappers@stappers.nl"
class="moz-txt-link-freetext" moz-do-not-send="true">stappers@stappers.nl</a>>
wrote:<br class="">
<blockquote type="cite" class="">On Fri, Apr 15, 2022 at
12:19:55AM +0100, Chris Staite via<br class="">
Dnsmasq-discuss wrote:<br class="">
<blockquote type="cite" class="">Hi again again,<br
class="">
<br class="">
I realised it was even easier than that. This time I
am done and<br class="">
going to bed though, so no more spam from me (at
least tonight<br class="">
</blockquote>
anyway).<br class="">
<br class="">
I when woke up, I did see three messages from same
author about dnssec.<br class="">
Only one message was openened (the other two got
marked as read)<br class="">
<br class="">
<blockquote type="cite" class="">This time I actually
fixed an issue with my simplified version in so<br
class="">
much as it was able to circumvent the unsigned check
of the parent<br class="">
from the target of the CNAME if the CNAME came after
the A record in<br class="">
the response, which was bad. This stops that from
happening, which<br class="">
is good. It does require the CNAME to come before
the A record, but<br class="">
I think that’s required in the standard anyway? If
it doesn’t,<br class="">
well then at least it’s better than it was before.<br
class="">
<br class="">
Once again, please see previous for reasoning behind
the patch.<br class="">
</blockquote>
<br class="">
Please add the reason to the proposed patch.<br
class="">
<br class="">
</blockquote>
<snip><br class="">
<br class="">
The use case is as follows:<br class="">
<br class="">
1) Query for a record.<br class="">
2) Response is a CNAME which is valid but unsigned, but
points to a record that is signed<br class="">
3) Code checks unsigned and is happy with that
(verifying NSEC)<br class="">
4) Code checks CNAME and is happy with that (verifying
the RRset)<br class="">
5) Final validation sees a secure response in the answer
set when<br class="">
the sigcnt for the response is 0 (because the CNAME was
unsigned)<br class="">
and returns BOGUS<br class="">
<br class="">
The correct response here should be to return an
INSECURE response<br class="">
(throwing away the secure check for the forwarded
domain). One could<br class="">
argue it’s not worth validating the CNAME target if it
isn’t<br class="">
signed itself… That’s an alternative, but we might as
well make<br class="">
it as hard for the attacker as possible I suppose?<br
class="">
<br class="">
</snip><br class="">
</blockquote>
<br class="">
<br class="">
<span class="">The long version of</span><br class="">
<blockquote type="cite" class="">
<blockquote type="cite" class="">Please add the reason
to the proposed patch.<br class="">
</blockquote>
</blockquote>
<br class="">
<span class="">Patch has be seen, there was no commit
message.</span><br class="">
<span class="">Create a new version of the proposed patch</span><br
class="">
<span class="">that does have a commit message.</span><br
class="">
<br class="">
<br class="">
<span class="">Groeten</span><br class="">
<span class="">Geert Stappers</span><br class="">
<span class="">--<span class="Apple-converted-space"> </span></span><br
class="">
<span class="">Silence is hard to parse</span></div>
</blockquote>
</div>
<br class="">
</div>
<br>
<fieldset class="moz-mime-attachment-header"></fieldset>
<pre class="moz-quote-pre" wrap="">_______________________________________________
Dnsmasq-discuss mailing list
<a class="moz-txt-link-abbreviated" href="mailto:Dnsmasq-discuss@lists.thekelleys.org.uk">Dnsmasq-discuss@lists.thekelleys.org.uk</a>
<a class="moz-txt-link-freetext" href="https://lists.thekelleys.org.uk/cgi-bin/mailman/listinfo/dnsmasq-discuss">https://lists.thekelleys.org.uk/cgi-bin/mailman/listinfo/dnsmasq-discuss</a>
</pre>
</blockquote>
<pre class="moz-signature" cols="72">--
Petr Menšík
Software Engineer
Red Hat, <a class="moz-txt-link-freetext" href="http://www.redhat.com/">http://www.redhat.com/</a>
email: <a class="moz-txt-link-abbreviated" href="mailto:pemensik@redhat.com">pemensik@redhat.com</a>
PGP: DFCF908DB7C87E8E529925BC4931CA5B6C9FC5CB</pre>
</body>
</html>