[Dnsmasq-discuss] RSA/SHA1-NSEC3-SHA1 signature bug?
Simon Kelley
simon at thekelleys.org.uk
Tue Dec 23 16:02:43 GMT 2014
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
I just looked at this. Simon's stripeyc.at is now working for me. I
don't think I found any problems with 2.72 on that one though.
The domain mentioned in the ipfire thread (formation.ent-liberscol.fr)
definitely found a bug in dnsmasq (combination of NSEC3 and
wildcards.) I think that's all fixed in the current git HEAD /
2.73test2. Michael, please could you confirm, and pass this back to
the ipfire list?
Cheers,
Simon.
On 22/10/14 22:37, Simon Gebler wrote:
> Sorry if I sounded rude or anything. Have a safe journey!
>
> On October 22, 2014 11:20:35 PM CEST, Simon Kelley
> <simon at thekelleys.org.uk> wrote:
>> On 21/10/14 15:24, SiGe wrote:
>>> I experienced that problem myself, posted about it on the
>>> mailing
>> list
>>> a few days ago. At least it happens on my domain that has both
>>> a SHA-1 AND 256 hash. I'm experiencing it with the version
>>> currently shipped in the current stable OpenWRT version.
>>>
>>> So you're not alone there. Too bad my other post was
>>> unacknowledged
>> so far :/
>>
>> Apologies for the lack of acknowledgement. I'm currently very
>> busy and traveling. Getting to where I have available time _and_
>> a good cellphone signal is tricky, and I have a huge email
>> backlog to crawl out from. I'll look at this as soon as I can.
>>
>>
>> Cheers,
>>
>> Simon.
>>
>>>
>>> ~ Simon
>>>
>>> On October 21, 2014 3:11:10 PM CEST, Michael Tremer
>>> <michael.tremer at ipfire.org> wrote:
>>>>
>>>> Hello fellow dnsmasq users,
>>>>
>>>> there is a topic on the IPFire support forums I would like to
>>>> point
>> you
>>>> to:
>>>>
>>>> http://forum.ipfire.org/index.php?topic=11726.0
>>>>
>>>> It appears that dnsmasq cannot verify resource records of a
>>>> DNSSEC-enabled domain. That domain uses RSA/SHA1-NSEC3-SHA1
>>>> for its signatures. Although there is some code in dnsmasq
>>>> that is supposed
>> to
>>>> handle this, it does not verify the records correctly.
>>>>
>>>> Did anyone else experience this problem? Is it a bug with
>>>> dnsmasq or
>> the
>>>> authoritative name servers of that domain?
>>>>
>>>> Best, -Michael
>>>>
>>>> ________________________________
>>>>
>>>> Dnsmasq-discuss mailing list
>>>> Dnsmasq-discuss at lists.thekelleys.org.uk
>>>> http://lists.thekelleys.org.uk/mailman/listinfo/dnsmasq-discuss
>>>
>>>
>>>>
_______________________________________________
>>> Dnsmasq-discuss mailing list
>>> Dnsmasq-discuss at lists.thekelleys.org.uk
>>> http://lists.thekelleys.org.uk/mailman/listinfo/dnsmasq-discuss
>>>
>
>>>
>
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1
iQIcBAEBCAAGBQJUmZIcAAoJEBXN2mrhkTWibZgP/AuOa4q7zZFZiy7TZoKaxYGH
dNswWF3ucyCQVDiM7Byj6gAUlD7pOZEvNkETDvEppFAp1NuCafU9Q8ig0fv9VrFq
r2aDlKstRg3WHRClCBB5x+H59CreQRZeCUO4b275+VBCAYXVmXlwJxb81P1o8TRV
hx6TQ1mvexulN7wGLRq5YQzufJ4wbFCq4j5TntvBhVHqpHz5ORpmgV1ZRfH/zs8I
UGFNuvn1NFerXI8xmTB30AhxNT85QzKKlFb6bQwMjKrsOFBs03EM17ly8sKbEEuL
YK6nh37VEWAS9LdFxVX0UTA6+PDU/aebuTJirqO2cOeUSr26PTsgbZUwMTViRSP9
SI5kr0wLaVjRfDgyo3GuoX7tXx+9ntcCVIttzMCtzsd09EvK0vDf2ZSq84pmkU/y
3JxLkt2tgZ7KogZm/i+sOYtcGXnYLLeiyLhMXIz6QZvp45M3zrXmlDnY0+rHFezV
nlG540G7i+s9n1p+Ii66G0IbuRzRyIhhEiNJIW/u1LO+GP3IoNsQb2r5EXZ2VCY5
re9FcTEg/FsDRW8nRWJilrrf2X+n0JLVb8XzUSj2JuFM9OfWdouOQsray2/fO7Pa
T7HhMnFO5jjHkByVyfExxqLDHELnVd+aUZ1e2vzxPdCUoKKiR/bxNBHh3rFZrFOh
ND7acrh57J48ZI2fqln2
=jDjA
-----END PGP SIGNATURE-----
More information about the Dnsmasq-discuss
mailing list