[Dnsmasq-discuss] RSA/SHA1-NSEC3-SHA1 signature bug?
Michael Tremer
michael.tremer at ipfire.org
Sun Jan 11 20:59:51 GMT 2015
Hello Simon,
unfortunately this does not seem to be it.
I got one report back from a user on our forums:
http://forum.ipfire.org/viewtopic.php?f=22&t=11401&p=79097#p79097
The German text there says that dnsmasq just crashes after a couple of
minutes in operation.
I didn't experience any crashes here, but it feels like resolving DNS
entries takes ages from time to time...
That's all of the feedback I got so far.
-Michael
On Sat, 2015-01-03 at 15:35 +0000, Simon Kelley wrote:
> Given the available information,
>
> http://thekelleys.org.uk/gitweb/?p=dnsmasq.git;a=commit;h=094b5c3d904bae9aeb3206d9f3b8348926b84975
>
> would be a very likely candidate to fix the crash problem. If that
> doesn't do it it would be really good to find a way to reproduce the
> problem.
>
>
>
> Cheers,
>
> Simon.
>
> On 02/01/15 09:42, Michael Tremer wrote:
> > Hello Simon,
> >
> > thanks for looking into this. Unfortunately I did not have enough
> > time to look into that last year.
> >
> > Whilst writing this, I am building a version of dnsmasq 2.72 with
> > some patches from the git repository. I also hope that these will
> > fix this problem that we are experiencing with lots installations:
> > https://bugzilla.ipfire.org/show_bug.cgi?id=10607
> >
> > It will take me a couple of days to confirm if the crash is gone,
> > so please stay tuned for that. I will also try to encourage some of
> > our users in testing this pre-release.
> >
> > If that would be of any help, I can try setting up a domain that
> > signs its records by using that algorithm.
> >
> > -Michael
> >
> > On Tue, 2014-12-23 at 16:02 +0000, Simon Kelley wrote:
> >> I just looked at this. Simon's stripeyc.at is now working for
> >> me. I don't think I found any problems with 2.72 on that one
> >> though.
> >>
> >> The domain mentioned in the ipfire thread
> >> (formation.ent-liberscol.fr) definitely found a bug in dnsmasq
> >> (combination of NSEC3 and wildcards.) I think that's all fixed in
> >> the current git HEAD / 2.73test2. Michael, please could you
> >> confirm, and pass this back to the ipfire list?
> >>
> >> Cheers,
> >>
> >> Simon.
> >>
> >>
> >> On 22/10/14 22:37, Simon Gebler wrote:
> >>> Sorry if I sounded rude or anything. Have a safe journey!
> >>>
> >>> On October 22, 2014 11:20:35 PM CEST, Simon Kelley
> >>> <simon at thekelleys.org.uk> wrote:
> >>>> On 21/10/14 15:24, SiGe wrote:
> >>>>> I experienced that problem myself, posted about it on the
> >>>>> mailing
> >>>> list
> >>>>> a few days ago. At least it happens on my domain that has
> >>>>> both a SHA-1 AND 256 hash. I'm experiencing it with the
> >>>>> version currently shipped in the current stable OpenWRT
> >>>>> version.
> >>>>>
> >>>>> So you're not alone there. Too bad my other post was
> >>>>> unacknowledged
> >>>> so far :/
> >>>>
> >>>> Apologies for the lack of acknowledgement. I'm currently
> >>>> very busy and traveling. Getting to where I have available
> >>>> time _and_ a good cellphone signal is tricky, and I have a
> >>>> huge email backlog to crawl out from. I'll look at this as
> >>>> soon as I can.
> >>>>
> >>>>
> >>>> Cheers,
> >>>>
> >>>> Simon.
> >>>>
> >>>>>
> >>>>> ~ Simon
> >>>>>
> >>>>> On October 21, 2014 3:11:10 PM CEST, Michael Tremer
> >>>>> <michael.tremer at ipfire.org> wrote:
> >>>>>>
> >>>>>> Hello fellow dnsmasq users,
> >>>>>>
> >>>>>> there is a topic on the IPFire support forums I would
> >>>>>> like to point
> >>>> you
> >>>>>> to:
> >>>>>>
> >>>>>> http://forum.ipfire.org/index.php?topic=11726.0
> >>>>>>
> >>>>>> It appears that dnsmasq cannot verify resource records of
> >>>>>> a DNSSEC-enabled domain. That domain uses
> >>>>>> RSA/SHA1-NSEC3-SHA1 for its signatures. Although there is
> >>>>>> some code in dnsmasq that is supposed
> >>>> to
> >>>>>> handle this, it does not verify the records correctly.
> >>>>>>
> >>>>>> Did anyone else experience this problem? Is it a bug
> >>>>>> with dnsmasq or
> >>>> the
> >>>>>> authoritative name servers of that domain?
> >>>>>>
> >>>>>> Best, -Michael
> >>>>>>
> >>>>>> ________________________________
> >>>>>>
> >>>>>> Dnsmasq-discuss mailing list
> >>>>>> Dnsmasq-discuss at lists.thekelleys.org.uk
> >>>>>> http://lists.thekelleys.org.uk/mailman/listinfo/dnsmasq-discuss
> >>>>>
> >>>>>
> >>>>>>
> >>
> >>>>>>
> _______________________________________________
> >>>>> Dnsmasq-discuss mailing list
> >>>>> Dnsmasq-discuss at lists.thekelleys.org.uk
> >>>>> http://lists.thekelleys.org.uk/mailman/listinfo/dnsmasq-discuss
> >>>>>
> >>>
> >>>>>
> >>>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 819 bytes
Desc: This is a digitally signed message part
URL: <http://lists.thekelleys.org.uk/pipermail/dnsmasq-discuss/attachments/20150111/8415c71f/attachment.sig>
More information about the Dnsmasq-discuss
mailing list