From: Simon Kelley <simon@thekelleys.org.uk>
To: Anders Kaseorg <andersk@mit.edu>
Cc: dnsmasq-discuss@thekelleys.org.uk, cerowrt-devel@lists.bufferbloat.net
Subject: Re: [Cerowrt-devel] Problems with DNSsec on Comcast, with Cero 3.10.38-1/DNSmasq 4-26-2014
Date: Thu, 08 Jan 2015 16:34:11 +0000 [thread overview]
Message-ID: <54AEB183.7050000@thekelleys.org.uk> (raw)
In-Reply-To: <alpine.DEB.2.10.1410041743400.37760@buzzword-bingo.mit.edu>
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
OK, it's taken some time, but with this insight, I've recoded the
relevant stuff to look for the limits of the signed DNS tree from the
DNS root down. That's clearly the correct way to do it, and should
avoid the original problem here, caused by sending DNSSEC queries to
DNSSEC-unaware servers in the unsigned parts of the tree.
This was quite a big change, and it could do with some serious
testing. Available now on the dnsmasq git repo, or as 2.73test3 in a
tarball.
There are other DNSSEC fixes in there too, Check the changelog.
Cheers,
Simon.
On 04/10/14 22:45, Anders Kaseorg wrote:
> On Fri, 3 Oct 2014, Anders Kaseorg wrote:
>>> secure no DS means that the original unsigned answer should be
>>> accepted, except that it shouldn't. There's no way to
>>> distinguish between secure lack of DS because we've reached an
>>> unsigned branch of the tree, and secure lack of DS because
>>> we're not at a zone cut, except if we know where the zone cuts
>>> are, and we don't.
>>
>> Having just looked through RFC 5155 for clues: isn’t that the
>> purpose of the NS type bit in the NSEC3 record? In this example,
>> DS university would give an NSEC3 record with the NS bit clear.
>> That signals that we should go down a level and query DS campus.
>> In this case we find a signed DS there. But if we were to find
>> an NSEC3 with the NS bit set, then we’d know that we’ve really
>> found an unsigned zone and can stop going down.
>
> Aha: and this is exactly the answer given at
> http://tools.ietf.org/html/rfc6840#section-4.4 .
>
> Anders
>
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1
iQIcBAEBCAAGBQJUrrGDAAoJEBXN2mrhkTWitZ0P/1T8AaAAlcgI6Z9oDXBGKR+Q
gw0E0bUcmMsvOf5YepR4jqNqonMYBDEv5aSx4EG13LEYBdEekVjUWlakcTSFGCCH
r4bx91XmxZBBSjBM2UNRd4B/dGY34YydbjPFnV/Mmzv5FdUzmVxG3PRQ3E0EyyLp
Eczm+s0Dxz4pGzEINhFHZ6T8sByDeSjAb3adBNidofKFSevwIv/iOMOQJ5moQfem
VkY+azpFzSmpdeNpIU+uboMfcg4jhFpVU3WRr7umTmLc0KOus1j7ao9GxSujPQHo
S7q+IwSwKHUPMEeEmQh+j7yJ2seweGuqGl0quWkHaqGUIOh2C2E756qZfXeenUcv
ia00dcKmpCYi0Ay3nXdgIq91aRwc78GsR93MEBTuvJwDmAUDupsbZMdlA/3D6tOd
ZTREvBmxkFz/QYOo731N/JzdaflQeLUrNPIwRJKpYFW9caotiJ3EiihRGrqrjHBk
a7h8QXy8bQKxc3G0LLKlJNIkxApnNzG6YGSmD6t9bzRPn/sSqar0Ws0IIYd5nYDv
hB4ggfpHvrnEbke4lkfoEBLbJmFFcnSngJh7oDCMT6XEpqeUH7HT0RmYEncnbH1C
9ZRpzUlzxyhZawjBbXWQBNmxhT2Z/KFYkLUkKMPnb060CBtn8DwlkZ22b2dqOvH8
TeRUKySnx6ieH+55fjG4
=CehB
-----END PGP SIGNATURE-----
next prev parent reply other threads:[~2015-01-08 16:34 UTC|newest]
Thread overview: 29+ messages / expand[flat|nested] mbox.gz Atom feed top
2014-04-28 16:55 Jim Gettys
2014-04-28 17:03 ` Dave Taht
2014-04-28 18:37 ` Dave Taht
2014-04-28 18:56 ` Dave Taht
2014-04-28 19:32 ` [Cerowrt-devel] [Dnsmasq-discuss] " Simon Kelley
2014-04-28 19:45 ` Aaron Wood
2014-04-28 23:24 ` Phil Pennock
2014-04-29 13:22 ` Simon Kelley
2014-04-29 20:57 ` Phil Pennock
2014-04-30 17:26 ` Dave Taht
2014-05-01 18:37 ` Simon Kelley
2014-05-01 20:26 ` Rich Brown
2014-05-01 22:27 ` Dave Taht
2014-05-02 14:30 ` Sebastian Moeller
2014-05-01 18:35 ` Simon Kelley
2014-05-02 16:40 ` James Cloos
2014-10-03 9:28 ` [Cerowrt-devel] " Anders Kaseorg
2014-10-03 17:28 ` Valdis.Kletnieks
2014-10-03 21:35 ` Anders Kaseorg
2014-10-04 21:45 ` Anders Kaseorg
2015-01-08 16:34 ` Simon Kelley [this message]
2015-01-08 17:44 ` Dave Taht
2015-01-08 18:07 ` Simon Kelley
2015-01-08 19:52 ` Dave Taht
2015-01-09 8:52 ` Dave Taht
2015-01-09 15:36 ` Simon Kelley
2015-01-09 16:49 ` Simon Kelley
2015-01-09 21:34 ` Dave Taht
2015-01-10 15:37 ` Simon Kelley
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
List information: https://lists.bufferbloat.net/postorius/lists/cerowrt-devel.lists.bufferbloat.net/
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=54AEB183.7050000@thekelleys.org.uk \
--to=simon@thekelleys.org.uk \
--cc=andersk@mit.edu \
--cc=cerowrt-devel@lists.bufferbloat.net \
--cc=dnsmasq-discuss@thekelleys.org.uk \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox