It is 2.73rc9(!) and I submitted a patch to openwrt this morning to bump to that version (then I submitted version 2 to sort out the line wrapping) There are a number of people hoping that a release is imminent but stuff just keeps on being found. Stop testing & looking in dark corners you fools :-) On 07/06/15 18:51, Dave Taht wrote: > if I haven't already said this, anybody using dnssec in > cerowrt-3.10.50-1 should just disable it. > > The number of corner cases and bugs found and fixed in the last few > months on dnssec has been pretty amazing. dnsmasq-2.73 is now at rc9 I > think.... > > > ---------- Forwarded message ---------- > From: Simon Kelley > Date: Sun, Jun 7, 2015 at 1:53 AM > Subject: Re: [Dnsmasq-discuss] dnssec-check-unsigned breaks linux.conf.au > To: dnsmasq-discuss@lists.thekelleys.org.uk > > > -----BEGIN PGP SIGNED MESSAGE----- > Hash: SHA256 > > On 07/06/15 09:06, Karl-Johan Karlsson wrote: >> On Sat 06 Jun 2015 23.16.42 Simon Kelley wrote: >>> Turns out that this domain has a "weird" by valid use of NSEC3 >>> which broke dnsmasq's corner-case code. >>> >>> 2.73rc9 should fix it. >> Thanks, it looks like it works. >> >> > Good stuff. > > A longer explanation (using NSEC because it's easier to understand, > NSEC3, which was used in this case, has the same principle but it less > obvious to understand.) > > > An NSEC record is a signed record that proves no names exist in a > certain alphabetic range > > so > > apple.example.com NSEC cherry.example.com > > proves that > > bananna.example.com cannot exist. > > > If the next name is before the name of the NSEC, then it covers the > wrap-around region, so > > cherry.example.com NSEC apple.example.com > > proves there are no names after cherry, and no names before apple. > > > The tricky one is > > apple.example.com NSEC apple.example.com > > The obvious answer is that proves nothing, and that's what the dnsmasq > code calculated. In fact it's an instance of the wraparound case, and > proves that _only_ apple exists. > > It's fun stuff, this DNSSEC. > > > Simon. > > > -----BEGIN PGP SIGNATURE----- > Version: GnuPG v2.0.22 (GNU/Linux) > > iQIcBAEBCAAGBQJVdAaXAAoJEBXN2mrhkTWi3ysP/3h6YWQWbNFTKDYLtaxmE6B/ > o85j+DKvgkfzGMAk8VKgh7gbVSuS174VFpjkrKFCHjjNkXiOidVIvLOcSAPWtBIq > 1IK/COZtnMzqpjxOrtkps/L7JJP1IQSiZdYwZFDuNK9c8N7TAqRpR83DPPJS5dVk > 5X+c/QY8Z7LGPaWW/tMGxxd9NakkCRy3Qs9OwCyxAWZXNDsz3hfH9zmw8Im8ptSD > P5RPCMoo9QPon5wsWdyr6kTTX73JPymvcJkNY/n8eIURNaPmaTFM589eQfO1xcFl > F7hj6pdXnzzrdZTdEqgHYbRUYbAJCPCW+DhfIjdfWmfIXVHwSDo+KB65Sv0lDouJ > aq6JFFy6cpKzZkEI2zXWw0WAVD4dHJqKe6ZcOiDG7zhUA9yr6j5WQDTZjgkM6fjz > CHatx+KD8AioKS5mnS6zw+8m5nfXFDrCJ5ufdTKU2EttifU0ruMuBapmvbmuRipQ > yvHMY7NfkHi46RScbah7FD5rybZP+1wEyDEGwfy89AWWkfWQ9TYCAt+tLojR8O5d > jK3YxIxpKHp11b670su+E6z/eG1tHIwxWNxXX5U3ETIv8k4a5xAUmyLluhede+yy > CA9wRufzbClKXbd+QkYobPNhid/VS2poMST0qeFa3yLvrr5je0KO0NFccBysk5jX > y+6wwmuCyz2txq3mGO52 > =AQKV > -----END PGP SIGNATURE----- > > _______________________________________________ > Dnsmasq-discuss mailing list > Dnsmasq-discuss@lists.thekelleys.org.uk > http://lists.thekelleys.org.uk/mailman/listinfo/dnsmasq-discuss > >