[Dnsmasq-discuss] [PATCH] DNSSEC Validation (super-simplified version)

Thu Apr 28 11:12:38 UTC 2022

If you are not sure or you don't want to experiment here, you can still
include patch as attachment manually.

I don't use git send-email, but git format-patch -1. That creates nice
formatted patch file including timestamp, commit message and sender.
Then just attach that file and add [PATCH] to subject manually. I have
used that to send my patches so far. Would need few more clicks, but the
result should be the same and it is simpler to get right.

Cheers,
Petr

On 4/15/22 14:43, Chris Staite via Dnsmasq-discuss wrote:
> I just found out how to use git send-email as I’ve not used it before.
>  However, I still don’t think I’ve done it right?
>
> Happy to take your advice here.  I usually either dump a patch from
> git or use a PR.
>
> Thanks, Chris.
>
>
>> On 15 Apr 2022, at 11:26, Geert Stappers <stappers at stappers.nl> wrote:
>>
>> On Fri, Apr 15, 2022 at 09:20:47AM +0100, Chris via Dnsmasq-discuss
>> wrote:
>>> On 15 Apr 2022, 08:55, at 08:55, Geert Stappers
>>> <stappers at stappers.nl> wrote:
>>>> On Fri, Apr 15, 2022 at 12:19:55AM +0100, Chris Staite via
>>>> Dnsmasq-discuss wrote:
>>>>> Hi again again,
>>>>>
>>>>> I realised it was even easier than that. This time I am done and
>>>>> going to bed though, so no more spam from me (at least tonight
>>>> anyway).
>>>>
>>>> I when woke up, I did see three messages from same author about dnssec.
>>>> Only one message was openened (the other two got marked as read)
>>>>
>>>>> This time I actually fixed an issue with my simplified version in so
>>>>> much as it was able to circumvent the unsigned check of the parent
>>>>> from the target of the CNAME if the CNAME came after the A record in
>>>>> the response, which was bad. This stops that from happening, which
>>>>> is good. It does require the CNAME to come before the A record, but
>>>>> I think that’s required in the standard anyway? If it doesn’t,
>>>>> well then at least it’s better than it was before.
>>>>>
>>>>> Once again, please see previous for reasoning behind the patch.
>>>>
>>>> Please add the reason to the proposed patch.
>>>>
>>> <snip>
>>>
>>> The use case is as follows:
>>>
>>> 1) Query for a record.
>>> 2) Response is a CNAME which is valid but unsigned, but points to a
>>> record that is signed
>>> 3) Code checks unsigned and is happy with that (verifying NSEC)
>>> 4) Code checks CNAME and is happy with that (verifying the RRset)
>>> 5) Final validation sees a secure response in the answer set when
>>> the sigcnt for the response is 0 (because the CNAME was unsigned)
>>> and returns BOGUS
>>>
>>> The correct response here should be to return an INSECURE response
>>> (throwing away the secure check for the forwarded domain). One could
>>> argue it’s not worth validating the CNAME target if it isn’t
>>> signed itself… That’s an alternative, but we might as well make
>>> it as hard for the attacker as possible I suppose?
>>>
>>> </snip>
>>
>>
>> The long version of
>>>> Please add the reason to the proposed patch.
>>
>> Patch has be seen, there was no commit message.
>> Create a new version of the proposed patch
>> that does have a commit message.
>>
>>
>> Groeten
>> Geert Stappers
>> -- 
>> Silence is hard to parse
>
>
> _______________________________________________
> Dnsmasq-discuss mailing list
> Dnsmasq-discuss at lists.thekelleys.org.uk
> https://lists.thekelleys.org.uk/cgi-bin/mailman/listinfo/dnsmasq-discuss

-- 
Petr Menšík
Software Engineer
Red Hat, http://www.redhat.com/
email: pemensik at redhat.com
PGP: DFCF908DB7C87E8E529925BC4931CA5B6C9FC5CB
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.thekelleys.org.uk/pipermail/dnsmasq-discuss/attachments/20220428/a9631952/attachment.htm>