[Dnsmasq-discuss] RSA/SHA1-NSEC3-SHA1 signature bug?

Michael Tremer michael.tremer at ipfire.org
Tue Jan 13 13:54:31 GMT 2015 

Hi Simon,

I wrote in the post that the user who can reproduce the bug should
enable that logging and post the results or possibly any core dumps.
dnsmasq is running perfectly fine on my IPFire system and I tried
throwing hundreds of requests at it to let it crash, but it won't :)

We are not using IPv6 servers at all. IPFire 2 only supports IPv4 any
way. I also tried to alter the MTU of the outgoing interface and similar
things. No lock so far. When it runs, it runs. The few people who are
experiencing these issues are experiencing them constantly and quickly
after dnsmasq has been started. Changing the upstream name servers does
not resolve the problem.

That's all I have so far. Looking forward to hear from that user now.

Thanks for your great help!

-Michael

On Mon, 2015-01-12 at 20:27 +0000, Simon Kelley wrote:
> Michael,
> 
> That's useful information, thanks, but it's not really enough to find
> the problem. The best possible thing would be a way to reproduce the
> crash here. If the crash is always caused by a particular domain, then
> setting --log-queries, and looking at the last few lines of the log
> might be enough, otherwise, we're looking at getting coredumps.
> 
> If you could encourage your users to start with query logging, that
> would be great. There are relatively few people using the DNSSEC
> validation, so it's really useful that it's getting some serious use
> with you.
> 
> 
> Are you using IPv6 upstream servers? There have been a few problems
> with that which are external to dnsmasq, and which might be the source
> of the delays.
> 
> I'm wondering about adding an option which would just log queries
> which take more than a couple of seconds, which would make tracing
> this sort of thing easier.
> 
> 
> Cheers,
> 
> 
> Simon.
> 
> 
> On 11/01/15 20:59, Michael Tremer wrote:
> > Hello Simon,
> > 
> > unfortunately this does not seem to be it.
> > 
> > I got one report back from a user on our forums:
> > 
> > http://forum.ipfire.org/viewtopic.php?f=22&t=11401&p=79097#p79097
> > 
> > The German text there says that dnsmasq just crashes after a couple
> > of minutes in operation.
> > 
> > I didn't experience any crashes here, but it feels like resolving
> > DNS entries takes ages from time to time...
> > 
> > That's all of the feedback I got so far.
> > 
> > -Michael
> > 
> > On Sat, 2015-01-03 at 15:35 +0000, Simon Kelley wrote:
> >> Given the available information,
> >> 
> >> http://thekelleys.org.uk/gitweb/?p=dnsmasq.git;a=commit;h=094b5c3d904bae9aeb3206d9f3b8348926b84975
> >>
> >>
> >> 
> would be a very likely candidate to fix the crash problem. If that
> >> doesn't do it it would be really good to find a way to reproduce
> >> the problem.
> >> 
> >> 
> >> 
> >> Cheers,
> >> 
> >> Simon.
> >> 
> >> On 02/01/15 09:42, Michael Tremer wrote:
> >>> Hello Simon,
> >>> 
> >>> thanks for looking into this. Unfortunately I did not have
> >>> enough time to look into that last year.
> >>> 
> >>> Whilst writing this, I am building a version of dnsmasq 2.72
> >>> with some patches from the git repository. I also hope that
> >>> these will fix this problem that we are experiencing with lots
> >>> installations: 
> >>> https://bugzilla.ipfire.org/show_bug.cgi?id=10607
> >>> 
> >>> It will take me a couple of days to confirm if the crash is
> >>> gone, so please stay tuned for that. I will also try to
> >>> encourage some of our users in testing this pre-release.
> >>> 
> >>> If that would be of any help, I can try setting up a domain
> >>> that signs its records by using that algorithm.
> >>> 
> >>> -Michael
> >>> 
> >>> On Tue, 2014-12-23 at 16:02 +0000, Simon Kelley wrote:
> >>>> I just looked at this. Simon's  stripeyc.at is now working
> >>>> for me. I don't think I found any problems with 2.72 on that
> >>>> one though.
> >>>> 
> >>>> The domain mentioned in the ipfire thread 
> >>>> (formation.ent-liberscol.fr) definitely found a bug in
> >>>> dnsmasq (combination of NSEC3 and wildcards.) I think that's
> >>>> all fixed in the current git HEAD / 2.73test2. Michael,
> >>>> please could you confirm, and pass this back to the ipfire
> >>>> list?
> >>>> 
> >>>> Cheers,
> >>>> 
> >>>> Simon.
> >>>> 
> >>>> 
> >>>> On 22/10/14 22:37, Simon Gebler wrote:
> >>>>> Sorry if I sounded rude or anything. Have a safe journey!
> >>>>> 
> >>>>> On October 22, 2014 11:20:35 PM CEST, Simon Kelley 
> >>>>> <simon at thekelleys.org.uk> wrote:
> >>>>>> On 21/10/14 15:24, SiGe wrote:
> >>>>>>> I experienced that problem myself, posted about it on
> >>>>>>> the mailing
> >>>>>> list
> >>>>>>> a few days ago. At least it happens on my domain that
> >>>>>>> has both a SHA-1 AND 256 hash. I'm experiencing it with
> >>>>>>> the version currently shipped in the current stable
> >>>>>>> OpenWRT version.
> >>>>>>> 
> >>>>>>> So you're not alone there. Too bad my other post was 
> >>>>>>> unacknowledged
> >>>>>> so far :/
> >>>>>> 
> >>>>>> Apologies for the lack of acknowledgement. I'm currently 
> >>>>>> very busy and traveling. Getting to where I have
> >>>>>> available time _and_ a good cellphone signal is tricky,
> >>>>>> and I have a huge email backlog to crawl out from. I'll
> >>>>>> look at this as soon as I can.
> >>>>>> 
> >>>>>> 
> >>>>>> Cheers,
> >>>>>> 
> >>>>>> Simon.
> >>>>>> 
> >>>>>>> 
> >>>>>>> ~ Simon
> >>>>>>> 
> >>>>>>> On October 21, 2014 3:11:10 PM CEST, Michael Tremer 
> >>>>>>> <michael.tremer at ipfire.org> wrote:
> >>>>>>>> 
> >>>>>>>> Hello fellow dnsmasq users,
> >>>>>>>> 
> >>>>>>>> there is a topic on the IPFire support forums I
> >>>>>>>> would like to point
> >>>>>> you
> >>>>>>>> to:
> >>>>>>>> 
> >>>>>>>> http://forum.ipfire.org/index.php?topic=11726.0
> >>>>>>>> 
> >>>>>>>> It appears that dnsmasq cannot verify resource
> >>>>>>>> records of a DNSSEC-enabled domain. That domain uses 
> >>>>>>>> RSA/SHA1-NSEC3-SHA1 for its signatures. Although
> >>>>>>>> there is some code in dnsmasq that is supposed
> >>>>>> to
> >>>>>>>> handle this, it does not verify the records
> >>>>>>>> correctly.
> >>>>>>>> 
> >>>>>>>> Did anyone else experience this problem? Is it a bug 
> >>>>>>>> with dnsmasq or
> >>>>>> the
> >>>>>>>> authoritative name servers of that domain?
> >>>>>>>> 
> >>>>>>>> Best, -Michael
> >>>>>>>> 
> >>>>>>>> ________________________________
> >>>>>>>> 
> >>>>>>>> Dnsmasq-discuss mailing list 
> >>>>>>>> Dnsmasq-discuss at lists.thekelleys.org.uk 
> >>>>>>>> http://lists.thekelleys.org.uk/mailman/listinfo/dnsmasq-discuss
> >>>>>>>
> >>>>>>>
> >>>>>>>>
> >>>>
> >>>>>>>>
> >>
> >>>>>>>> 
> _______________________________________________
> >>>>>>> Dnsmasq-discuss mailing list 
> >>>>>>> Dnsmasq-discuss at lists.thekelleys.org.uk 
> >>>>>>> http://lists.thekelleys.org.uk/mailman/listinfo/dnsmasq-discuss
> >>>>>>>
> >>>>>
> >>>>>>>
> >>>>>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 819 bytes
Desc: This is a digitally signed message part
URL: <http://lists.thekelleys.org.uk/pipermail/dnsmasq-discuss/attachments/20150113/6db2b0e5/attachment.sig>

More information about the Dnsmasq-discuss mailing list