[Dnsmasq-discuss] RSA/SHA1-NSEC3-SHA1 signature bug?

Simon Kelley simon at thekelleys.org.uk
Mon Jan 12 20:27:51 GMT 2015 

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

Michael,

That's useful information, thanks, but it's not really enough to find
the problem. The best possible thing would be a way to reproduce the
crash here. If the crash is always caused by a particular domain, then
setting --log-queries, and looking at the last few lines of the log
might be enough, otherwise, we're looking at getting coredumps.

If you could encourage your users to start with query logging, that
would be great. There are relatively few people using the DNSSEC
validation, so it's really useful that it's getting some serious use
with you.


Are you using IPv6 upstream servers? There have been a few problems
with that which are external to dnsmasq, and which might be the source
of the delays.

I'm wondering about adding an option which would just log queries
which take more than a couple of seconds, which would make tracing
this sort of thing easier.


Cheers,


Simon.


On 11/01/15 20:59, Michael Tremer wrote:
> Hello Simon,
> 
> unfortunately this does not seem to be it.
> 
> I got one report back from a user on our forums:
> 
> http://forum.ipfire.org/viewtopic.php?f=22&t=11401&p=79097#p79097
> 
> The German text there says that dnsmasq just crashes after a couple
> of minutes in operation.
> 
> I didn't experience any crashes here, but it feels like resolving
> DNS entries takes ages from time to time...
> 
> That's all of the feedback I got so far.
> 
> -Michael
> 
> On Sat, 2015-01-03 at 15:35 +0000, Simon Kelley wrote:
>> Given the available information,
>> 
>> http://thekelleys.org.uk/gitweb/?p=dnsmasq.git;a=commit;h=094b5c3d904bae9aeb3206d9f3b8348926b84975
>>
>>
>> 
would be a very likely candidate to fix the crash problem. If that
>> doesn't do it it would be really good to find a way to reproduce
>> the problem.
>> 
>> 
>> 
>> Cheers,
>> 
>> Simon.
>> 
>> On 02/01/15 09:42, Michael Tremer wrote:
>>> Hello Simon,
>>> 
>>> thanks for looking into this. Unfortunately I did not have
>>> enough time to look into that last year.
>>> 
>>> Whilst writing this, I am building a version of dnsmasq 2.72
>>> with some patches from the git repository. I also hope that
>>> these will fix this problem that we are experiencing with lots
>>> installations: 
>>> https://bugzilla.ipfire.org/show_bug.cgi?id=10607
>>> 
>>> It will take me a couple of days to confirm if the crash is
>>> gone, so please stay tuned for that. I will also try to
>>> encourage some of our users in testing this pre-release.
>>> 
>>> If that would be of any help, I can try setting up a domain
>>> that signs its records by using that algorithm.
>>> 
>>> -Michael
>>> 
>>> On Tue, 2014-12-23 at 16:02 +0000, Simon Kelley wrote:
>>>> I just looked at this. Simon's  stripeyc.at is now working
>>>> for me. I don't think I found any problems with 2.72 on that
>>>> one though.
>>>> 
>>>> The domain mentioned in the ipfire thread 
>>>> (formation.ent-liberscol.fr) definitely found a bug in
>>>> dnsmasq (combination of NSEC3 and wildcards.) I think that's
>>>> all fixed in the current git HEAD / 2.73test2. Michael,
>>>> please could you confirm, and pass this back to the ipfire
>>>> list?
>>>> 
>>>> Cheers,
>>>> 
>>>> Simon.
>>>> 
>>>> 
>>>> On 22/10/14 22:37, Simon Gebler wrote:
>>>>> Sorry if I sounded rude or anything. Have a safe journey!
>>>>> 
>>>>> On October 22, 2014 11:20:35 PM CEST, Simon Kelley 
>>>>> <simon at thekelleys.org.uk> wrote:
>>>>>> On 21/10/14 15:24, SiGe wrote:
>>>>>>> I experienced that problem myself, posted about it on
>>>>>>> the mailing
>>>>>> list
>>>>>>> a few days ago. At least it happens on my domain that
>>>>>>> has both a SHA-1 AND 256 hash. I'm experiencing it with
>>>>>>> the version currently shipped in the current stable
>>>>>>> OpenWRT version.
>>>>>>> 
>>>>>>> So you're not alone there. Too bad my other post was 
>>>>>>> unacknowledged
>>>>>> so far :/
>>>>>> 
>>>>>> Apologies for the lack of acknowledgement. I'm currently 
>>>>>> very busy and traveling. Getting to where I have
>>>>>> available time _and_ a good cellphone signal is tricky,
>>>>>> and I have a huge email backlog to crawl out from. I'll
>>>>>> look at this as soon as I can.
>>>>>> 
>>>>>> 
>>>>>> Cheers,
>>>>>> 
>>>>>> Simon.
>>>>>> 
>>>>>>> 
>>>>>>> ~ Simon
>>>>>>> 
>>>>>>> On October 21, 2014 3:11:10 PM CEST, Michael Tremer 
>>>>>>> <michael.tremer at ipfire.org> wrote:
>>>>>>>> 
>>>>>>>> Hello fellow dnsmasq users,
>>>>>>>> 
>>>>>>>> there is a topic on the IPFire support forums I
>>>>>>>> would like to point
>>>>>> you
>>>>>>>> to:
>>>>>>>> 
>>>>>>>> http://forum.ipfire.org/index.php?topic=11726.0
>>>>>>>> 
>>>>>>>> It appears that dnsmasq cannot verify resource
>>>>>>>> records of a DNSSEC-enabled domain. That domain uses 
>>>>>>>> RSA/SHA1-NSEC3-SHA1 for its signatures. Although
>>>>>>>> there is some code in dnsmasq that is supposed
>>>>>> to
>>>>>>>> handle this, it does not verify the records
>>>>>>>> correctly.
>>>>>>>> 
>>>>>>>> Did anyone else experience this problem? Is it a bug 
>>>>>>>> with dnsmasq or
>>>>>> the
>>>>>>>> authoritative name servers of that domain?
>>>>>>>> 
>>>>>>>> Best, -Michael
>>>>>>>> 
>>>>>>>> ________________________________
>>>>>>>> 
>>>>>>>> Dnsmasq-discuss mailing list 
>>>>>>>> Dnsmasq-discuss at lists.thekelleys.org.uk 
>>>>>>>> http://lists.thekelleys.org.uk/mailman/listinfo/dnsmasq-discuss
>>>>>>>
>>>>>>>
>>>>>>>>
>>>>
>>>>>>>>
>>
>>>>>>>> 
_______________________________________________
>>>>>>> Dnsmasq-discuss mailing list 
>>>>>>> Dnsmasq-discuss at lists.thekelleys.org.uk 
>>>>>>> http://lists.thekelleys.org.uk/mailman/listinfo/dnsmasq-discuss
>>>>>>>
>>>>>
>>>>>>>
>>>>>
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1

iQIcBAEBCAAGBQJUtC4oAAoJEBXN2mrhkTWiHZ0QAIoFLA3b8pQmh3jTujikDh2t
f2Z7v+P8vG96jdKya4EHsgZvBpVHo5AcGcFutvzVicuxRLrmHImq+700u6303bHm
ucgybSAxV2uXzVWZmfdfDOE5x9WefhB7NgO1GcruF0ugDOSrB2Cq3U1xGHyfSYC+
WBHI5dMuRNlpH9osV/WSyue2PZ0CnmzWtbp6ErrPIPb+ZgUtan+1gZ5/6NxaF+7K
QlUbMaKjUD4JCbm2qKNPS4WsOvthn7eS9Dp/IEe9tWcBPw3+HS3CDmvMg/3OluUB
WsKCxolKAcT8QfrR7JLUye+bHTlYaIqZNy7hsTKzmuC4+8M7N8Z6uaYulPc2rbZv
/zQvR6qLa7Fs6TGtFoNnQBAgV/qzsFYTOLQWcD8eIYROreaXQb6+IvsXZLk1XGLv
vm//Op1Wt5pCH2L8YG2CQ3ThUNXAG2Vrnd2YIDq6WqvKVLJD59VCrqs13DMH6KdE
cppbssbWWWrgMmXXh4RRg+dhMlYGLb7dtK+JgnNRpFvqz78nwh58guKingOhdTfK
Bti76nliASPkjielZ4cbKHDETGRdIhTUJY4cmX25H3y682ZLnMrB8FNUhTAKiLm4
ZdaKxhGpJLHYIViO4/f2IKbhnoJiHO1rhlkLkcDpCf+Kah5MsEfKFg8DH8Hs2+D5
//p4qJdQ5M2O1HgesByz
=Q5F7
-----END PGP SIGNATURE-----

More information about the Dnsmasq-discuss mailing list