From: Kevin Darbyshire-Bryant <kevin@darbyshire-bryant.me.uk>
To: <cerowrt-devel@lists.bufferbloat.net>
Subject: Re: [Cerowrt-devel] Fwd: [Dnsmasq-discuss] dnssec-check-unsigned breaks linux.conf.au
Date: Sun, 7 Jun 2015 19:03:32 +0100 [thread overview]
Message-ID: <55748774.1000301@darbyshire-bryant.me.uk> (raw)
In-Reply-To: <CAA93jw6yN0x9kDq0efH6TafLZ9ULOYsm5K2qLiTzna9NwJXaoQ@mail.gmail.com>
[-- Attachment #1: Type: text/plain, Size: 3270 bytes --]
It is 2.73rc9(!) and I submitted a patch to openwrt this morning to bump
to that version (then I submitted version 2 to sort out the line wrapping)
There are a number of people hoping that a release is imminent but stuff
just keeps on being found.
Stop testing & looking in dark corners you fools :-)
On 07/06/15 18:51, Dave Taht wrote:
> if I haven't already said this, anybody using dnssec in
> cerowrt-3.10.50-1 should just disable it.
>
> The number of corner cases and bugs found and fixed in the last few
> months on dnssec has been pretty amazing. dnsmasq-2.73 is now at rc9 I
> think....
>
>
> ---------- Forwarded message ----------
> From: Simon Kelley <simon@thekelleys.org.uk>
> Date: Sun, Jun 7, 2015 at 1:53 AM
> Subject: Re: [Dnsmasq-discuss] dnssec-check-unsigned breaks linux.conf.au
> To: dnsmasq-discuss@lists.thekelleys.org.uk
>
>
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA256
>
> On 07/06/15 09:06, Karl-Johan Karlsson wrote:
>> On Sat 06 Jun 2015 23.16.42 Simon Kelley wrote:
>>> Turns out that this domain has a "weird" by valid use of NSEC3
>>> which broke dnsmasq's corner-case code.
>>>
>>> 2.73rc9 should fix it.
>> Thanks, it looks like it works.
>>
>>
> Good stuff.
>
> A longer explanation (using NSEC because it's easier to understand,
> NSEC3, which was used in this case, has the same principle but it less
> obvious to understand.)
>
>
> An NSEC record is a signed record that proves no names exist in a
> certain alphabetic range
>
> so
>
> apple.example.com NSEC cherry.example.com
>
> proves that
>
> bananna.example.com cannot exist.
>
>
> If the next name is before the name of the NSEC, then it covers the
> wrap-around region, so
>
> cherry.example.com NSEC apple.example.com
>
> proves there are no names after cherry, and no names before apple.
>
>
> The tricky one is
>
> apple.example.com NSEC apple.example.com
>
> The obvious answer is that proves nothing, and that's what the dnsmasq
> code calculated. In fact it's an instance of the wraparound case, and
> proves that _only_ apple exists.
>
> It's fun stuff, this DNSSEC.
>
>
> Simon.
>
>
> -----BEGIN PGP SIGNATURE-----
> Version: GnuPG v2.0.22 (GNU/Linux)
>
> iQIcBAEBCAAGBQJVdAaXAAoJEBXN2mrhkTWi3ysP/3h6YWQWbNFTKDYLtaxmE6B/
> o85j+DKvgkfzGMAk8VKgh7gbVSuS174VFpjkrKFCHjjNkXiOidVIvLOcSAPWtBIq
> 1IK/COZtnMzqpjxOrtkps/L7JJP1IQSiZdYwZFDuNK9c8N7TAqRpR83DPPJS5dVk
> 5X+c/QY8Z7LGPaWW/tMGxxd9NakkCRy3Qs9OwCyxAWZXNDsz3hfH9zmw8Im8ptSD
> P5RPCMoo9QPon5wsWdyr6kTTX73JPymvcJkNY/n8eIURNaPmaTFM589eQfO1xcFl
> F7hj6pdXnzzrdZTdEqgHYbRUYbAJCPCW+DhfIjdfWmfIXVHwSDo+KB65Sv0lDouJ
> aq6JFFy6cpKzZkEI2zXWw0WAVD4dHJqKe6ZcOiDG7zhUA9yr6j5WQDTZjgkM6fjz
> CHatx+KD8AioKS5mnS6zw+8m5nfXFDrCJ5ufdTKU2EttifU0ruMuBapmvbmuRipQ
> yvHMY7NfkHi46RScbah7FD5rybZP+1wEyDEGwfy89AWWkfWQ9TYCAt+tLojR8O5d
> jK3YxIxpKHp11b670su+E6z/eG1tHIwxWNxXX5U3ETIv8k4a5xAUmyLluhede+yy
> CA9wRufzbClKXbd+QkYobPNhid/VS2poMST0qeFa3yLvrr5je0KO0NFccBysk5jX
> y+6wwmuCyz2txq3mGO52
> =AQKV
> -----END PGP SIGNATURE-----
>
> _______________________________________________
> Dnsmasq-discuss mailing list
> Dnsmasq-discuss@lists.thekelleys.org.uk
> http://lists.thekelleys.org.uk/mailman/listinfo/dnsmasq-discuss
>
>
[-- Attachment #2: S/MIME Cryptographic Signature --]
[-- Type: application/pkcs7-signature, Size: 4791 bytes --]
prev parent reply other threads:[~2015-06-07 18:03 UTC|newest]
Thread overview: 2+ messages / expand[flat|nested] mbox.gz Atom feed top
[not found] <4586744.SWlHNYxozs@orley>
[not found] ` <5573714A.2070902@thekelleys.org.uk>
[not found] ` <1912951.DO848rCvMM@orley>
[not found] ` <55740697.8030400@thekelleys.org.uk>
2015-06-07 17:51 ` Dave Taht
2015-06-07 18:03 ` Kevin Darbyshire-Bryant [this message]
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
List information: https://lists.bufferbloat.net/postorius/lists/cerowrt-devel.lists.bufferbloat.net/
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=55748774.1000301@darbyshire-bryant.me.uk \
--to=kevin@darbyshire-bryant.me.uk \
--cc=cerowrt-devel@lists.bufferbloat.net \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox