[Dnsmasq-discuss] RSA/SHA1-NSEC3-SHA1 signature bug?

Michael Tremer michael.tremer at ipfire.org
Sun Jan 11 20:59:51 GMT 2015


Hello Simon,

unfortunately this does not seem to be it.

I got one report back from a user on our forums:

http://forum.ipfire.org/viewtopic.php?f=22&t=11401&p=79097#p79097

The German text there says that dnsmasq just crashes after a couple of
minutes in operation.

I didn't experience any crashes here, but it feels like resolving DNS
entries takes ages from time to time...

That's all of the feedback I got so far.

-Michael

On Sat, 2015-01-03 at 15:35 +0000, Simon Kelley wrote:
> Given the available information,
> 
> http://thekelleys.org.uk/gitweb/?p=dnsmasq.git;a=commit;h=094b5c3d904bae9aeb3206d9f3b8348926b84975
> 
> would be a very likely candidate to fix the crash problem. If that
> doesn't do it it would be really good to find a way to reproduce the
> problem.
> 
> 
> 
> Cheers,
> 
> Simon.
> 
> On 02/01/15 09:42, Michael Tremer wrote:
> > Hello Simon,
> > 
> > thanks for looking into this. Unfortunately I did not have enough
> > time to look into that last year.
> > 
> > Whilst writing this, I am building a version of dnsmasq 2.72 with
> > some patches from the git repository. I also hope that these will
> > fix this problem that we are experiencing with lots installations: 
> > https://bugzilla.ipfire.org/show_bug.cgi?id=10607
> > 
> > It will take me a couple of days to confirm if the crash is gone,
> > so please stay tuned for that. I will also try to encourage some of
> > our users in testing this pre-release.
> > 
> > If that would be of any help, I can try setting up a domain that
> > signs its records by using that algorithm.
> > 
> > -Michael
> > 
> > On Tue, 2014-12-23 at 16:02 +0000, Simon Kelley wrote:
> >> I just looked at this. Simon's  stripeyc.at is now working for
> >> me. I don't think I found any problems with 2.72 on that one
> >> though.
> >> 
> >> The domain mentioned in the ipfire thread
> >> (formation.ent-liberscol.fr) definitely found a bug in dnsmasq
> >> (combination of NSEC3 and wildcards.) I think that's all fixed in
> >> the current git HEAD / 2.73test2. Michael, please could you
> >> confirm, and pass this back to the ipfire list?
> >> 
> >> Cheers,
> >> 
> >> Simon.
> >> 
> >> 
> >> On 22/10/14 22:37, Simon Gebler wrote:
> >>> Sorry if I sounded rude or anything. Have a safe journey!
> >>> 
> >>> On October 22, 2014 11:20:35 PM CEST, Simon Kelley 
> >>> <simon at thekelleys.org.uk> wrote:
> >>>> On 21/10/14 15:24, SiGe wrote:
> >>>>> I experienced that problem myself, posted about it on the 
> >>>>> mailing
> >>>> list
> >>>>> a few days ago. At least it happens on my domain that has
> >>>>> both a SHA-1 AND 256 hash. I'm experiencing it with the
> >>>>> version currently shipped in the current stable OpenWRT
> >>>>> version.
> >>>>> 
> >>>>> So you're not alone there. Too bad my other post was 
> >>>>> unacknowledged
> >>>> so far :/
> >>>> 
> >>>> Apologies for the lack of acknowledgement. I'm currently
> >>>> very busy and traveling. Getting to where I have available
> >>>> time _and_ a good cellphone signal is tricky, and I have a
> >>>> huge email backlog to crawl out from. I'll look at this as
> >>>> soon as I can.
> >>>> 
> >>>> 
> >>>> Cheers,
> >>>> 
> >>>> Simon.
> >>>> 
> >>>>> 
> >>>>> ~ Simon
> >>>>> 
> >>>>> On October 21, 2014 3:11:10 PM CEST, Michael Tremer 
> >>>>> <michael.tremer at ipfire.org> wrote:
> >>>>>> 
> >>>>>> Hello fellow dnsmasq users,
> >>>>>> 
> >>>>>> there is a topic on the IPFire support forums I would
> >>>>>> like to point
> >>>> you
> >>>>>> to:
> >>>>>> 
> >>>>>> http://forum.ipfire.org/index.php?topic=11726.0
> >>>>>> 
> >>>>>> It appears that dnsmasq cannot verify resource records of
> >>>>>> a DNSSEC-enabled domain. That domain uses
> >>>>>> RSA/SHA1-NSEC3-SHA1 for its signatures. Although there is
> >>>>>> some code in dnsmasq that is supposed
> >>>> to
> >>>>>> handle this, it does not verify the records correctly.
> >>>>>> 
> >>>>>> Did anyone else experience this problem? Is it a bug
> >>>>>> with dnsmasq or
> >>>> the
> >>>>>> authoritative name servers of that domain?
> >>>>>> 
> >>>>>> Best, -Michael
> >>>>>> 
> >>>>>> ________________________________
> >>>>>> 
> >>>>>> Dnsmasq-discuss mailing list 
> >>>>>> Dnsmasq-discuss at lists.thekelleys.org.uk 
> >>>>>> http://lists.thekelleys.org.uk/mailman/listinfo/dnsmasq-discuss
> >>>>>
> >>>>>
> >>>>>>
> >>
> >>>>>> 
> _______________________________________________
> >>>>> Dnsmasq-discuss mailing list 
> >>>>> Dnsmasq-discuss at lists.thekelleys.org.uk 
> >>>>> http://lists.thekelleys.org.uk/mailman/listinfo/dnsmasq-discuss
> >>>>>
> >>>
> >>>>>
> >>>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 819 bytes
Desc: This is a digitally signed message part
URL: <http://lists.thekelleys.org.uk/pipermail/dnsmasq-discuss/attachments/20150111/8415c71f/attachment.sig>


More information about the Dnsmasq-discuss mailing list