[Dnsmasq-discuss] [PATCH] Treat records signed using unknown algorithms as unsigned instead of bogus
Simon Kelley
simon at thekelleys.org.uk
Thu Dec 17 17:58:24 GMT 2015
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
On 17/12/15 17:35, Simon Kelley wrote:
>> First and foremost, the primary issue of returning SERVFAILs for
>> zones with DNSKEY RRsets signed using _only_ unknown algorithms
>> (even though we are able to hash the DNSKEY RRset and
>> authenticate the DS at the parent) is not resolved. Quick
>> example: if you try to resolve anything within a zone signed
>> using only ECC-GOST keys, with an SHA-256 DS at the parent,
>> SERVFAIL is still returned as dnssec_validate_by_ds() still
>> requires the validate_rrset() call for DNSKEY RRset to succeed
>> for it to return anything else than STAT_BOGUS. In my patch
>> which started this thread I tried to demonstrate that if all
>> DNSKEY RRset validations fail only due to the lack of support for
>> the _signing_ algorithms used by its RRSIGs, the zone should be
>> marked as insecure, not bogus.
>
>
> Did you test this on a real domain and see a failure? The way it's
> intended to work is that the call to zone_status() at line 2042
> will work down from the root to the DS, where it will find that the
> SHA-256 DS covers a ECC-GOST key and return STAT_INSECURE at line
> 1869. That will be returned from dnssec_validate_reply at line
> 2049, before the call to validate_rrset is even made.
> dnssec_validate_by_ds() should never be called.
>
> An example of a domain that fails here would be really useful. I
> did testing by removing algorithms but as there are no rare
> algorithms it's difficult not to cause early failure of the process
> before the test case is reached.
>
>
More: the easiest way to test this is to use cloudflare zones, which
are signed using ECC. If I resolve www.ietf.org, which is a CNAME to
the cloudflare CDN, in dnsmasq I get a SECURE result. If I compile
dnsmasq with -DNO_NETTLE_ECC and repeat the test, I get in INSECURE
result. Looking good!
Cheers,
Simon.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2.0.22 (GNU/Linux)
iQIcBAEBCAAGBQJWcvfAAAoJEBXN2mrhkTWihegP/RKFQL7mSGQmaNv0txsJHhlp
OKtME89gGlraWSCYBlLCaeFAa/pHMrvhiM9dd+OOvyoJa+3xCyMQRzoqj975fuy0
hO+B04lnoICFHr1QDhkGD4LAYuOD6O/8kJy9CqsyJjEoI50U5KF218xHCbS+T5B9
dGoUC6vseAjHyK18txlHv8hnk3DNs3lVvcG31T/hE+dIuuR4fR/AiIGH64fQXRxT
+NWbUSRIP4fzjKDZr11JSTVa/81XZki0MzKSPOqmIOQcKkXm4Y1v8bmwyyWv3ugz
JJzzEwN+M3+3lulGdwymSKDSgxMOMyfw2gX639b9qmTFMWbDXY7WE7/nfMwLGczi
NpBDVUChwPuUuimdh/BjyDOE+6I7rs3iD6IxIyWuCw7ZB487JCsy8S54EA3dFJd2
LVx651z9DxqAEnax5x/0erFQHyejBPTgGPXYZWZQp4ZQFzN8oyyJ2YD3H+zgT+7X
O64a0X7960YWpekLVmci5LDgyTavuWeu7S/D4Ex4xV0EssUOSA38IZGolRBKX8pw
w6BtOdqA7uY86GLcdri5dEVwQo/2hDp5KbrM9+XKsR+JCu9vzlZXEj03cLoY3+6d
ochH2jrU5i5/3396CMr/ncNUeIJPn9OJwalHtiqMHS87ambGQtrw8ktK2DjTtQGX
wjx0oU+8qvkmsRjeWkg6
=MZmi
-----END PGP SIGNATURE-----
More information about the Dnsmasq-discuss
mailing list