[Dnsmasq-discuss] [Cerowrt-devel] Problems with DNSsec on Comcast, with Cero 3.10.38-1/DNSmasq 4-26-2014

Simon Kelley simon at thekelleys.org.uk
Thu Jan 8 16:34:11 GMT 2015


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

OK, it's taken some time, but with this insight, I've recoded the
relevant stuff to look for the limits of the signed DNS tree from the
DNS root down. That's clearly the correct way to do it, and should
avoid the original problem here, caused by sending DNSSEC queries  to
DNSSEC-unaware servers in the unsigned parts of the tree.

This was quite a big change, and it could do with some serious
testing. Available now on the dnsmasq git repo, or as 2.73test3 in a
tarball.

There are other DNSSEC fixes in there too, Check the changelog.


Cheers,

Simon.


On 04/10/14 22:45, Anders Kaseorg wrote:
> On Fri, 3 Oct 2014, Anders Kaseorg wrote:
>>> secure no DS means that the original unsigned answer should be
>>>  accepted, except that it shouldn't. There's no way to
>>> distinguish between secure lack of DS because we've reached an
>>> unsigned branch of the tree, and secure lack of DS because
>>> we're not at a zone cut, except if we know where the zone cuts
>>> are, and we don't.
>> 
>> Having just looked through RFC 5155 for clues: isn’t that the
>> purpose of the NS type bit in the NSEC3 record?  In this example,
>> DS university would give an NSEC3 record with the NS bit clear.
>> That signals that we should go down a level and query DS campus.
>> In this case we find a signed DS there.  But if we were to find
>> an NSEC3 with the NS bit set, then we’d know that we’ve really
>> found an unsigned zone and can stop going down.
> 
> Aha: and this is exactly the answer given at 
> http://tools.ietf.org/html/rfc6840#section-4.4 .
> 
> Anders
> 
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1

iQIcBAEBCAAGBQJUrrGDAAoJEBXN2mrhkTWitZ0P/1T8AaAAlcgI6Z9oDXBGKR+Q
gw0E0bUcmMsvOf5YepR4jqNqonMYBDEv5aSx4EG13LEYBdEekVjUWlakcTSFGCCH
r4bx91XmxZBBSjBM2UNRd4B/dGY34YydbjPFnV/Mmzv5FdUzmVxG3PRQ3E0EyyLp
Eczm+s0Dxz4pGzEINhFHZ6T8sByDeSjAb3adBNidofKFSevwIv/iOMOQJ5moQfem
VkY+azpFzSmpdeNpIU+uboMfcg4jhFpVU3WRr7umTmLc0KOus1j7ao9GxSujPQHo
S7q+IwSwKHUPMEeEmQh+j7yJ2seweGuqGl0quWkHaqGUIOh2C2E756qZfXeenUcv
ia00dcKmpCYi0Ay3nXdgIq91aRwc78GsR93MEBTuvJwDmAUDupsbZMdlA/3D6tOd
ZTREvBmxkFz/QYOo731N/JzdaflQeLUrNPIwRJKpYFW9caotiJ3EiihRGrqrjHBk
a7h8QXy8bQKxc3G0LLKlJNIkxApnNzG6YGSmD6t9bzRPn/sSqar0Ws0IIYd5nYDv
hB4ggfpHvrnEbke4lkfoEBLbJmFFcnSngJh7oDCMT6XEpqeUH7HT0RmYEncnbH1C
9ZRpzUlzxyhZawjBbXWQBNmxhT2Z/KFYkLUkKMPnb060CBtn8DwlkZ22b2dqOvH8
TeRUKySnx6ieH+55fjG4
=CehB
-----END PGP SIGNATURE-----



More information about the Dnsmasq-discuss mailing list