* [Cerowrt-devel] Fwd: [Dnsmasq-discuss] dnssec-check-unsigned breaks linux.conf.au
[not found] ` <55740697.8030400@thekelleys.org.uk>
@ 2015-06-07 17:51 ` Dave Taht
2015-06-07 18:03 ` Kevin Darbyshire-Bryant
0 siblings, 1 reply; 2+ messages in thread
From: Dave Taht @ 2015-06-07 17:51 UTC (permalink / raw)
To: cerowrt-devel
if I haven't already said this, anybody using dnssec in
cerowrt-3.10.50-1 should just disable it.
The number of corner cases and bugs found and fixed in the last few
months on dnssec has been pretty amazing. dnsmasq-2.73 is now at rc9 I
think....
---------- Forwarded message ----------
From: Simon Kelley <simon@thekelleys.org.uk>
Date: Sun, Jun 7, 2015 at 1:53 AM
Subject: Re: [Dnsmasq-discuss] dnssec-check-unsigned breaks linux.conf.au
To: dnsmasq-discuss@lists.thekelleys.org.uk
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
On 07/06/15 09:06, Karl-Johan Karlsson wrote:
> On Sat 06 Jun 2015 23.16.42 Simon Kelley wrote:
>> Turns out that this domain has a "weird" by valid use of NSEC3
>> which broke dnsmasq's corner-case code.
>>
>> 2.73rc9 should fix it.
>
> Thanks, it looks like it works.
>
>
Good stuff.
A longer explanation (using NSEC because it's easier to understand,
NSEC3, which was used in this case, has the same principle but it less
obvious to understand.)
An NSEC record is a signed record that proves no names exist in a
certain alphabetic range
so
apple.example.com NSEC cherry.example.com
proves that
bananna.example.com cannot exist.
If the next name is before the name of the NSEC, then it covers the
wrap-around region, so
cherry.example.com NSEC apple.example.com
proves there are no names after cherry, and no names before apple.
The tricky one is
apple.example.com NSEC apple.example.com
The obvious answer is that proves nothing, and that's what the dnsmasq
code calculated. In fact it's an instance of the wraparound case, and
proves that _only_ apple exists.
It's fun stuff, this DNSSEC.
Simon.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2.0.22 (GNU/Linux)
iQIcBAEBCAAGBQJVdAaXAAoJEBXN2mrhkTWi3ysP/3h6YWQWbNFTKDYLtaxmE6B/
o85j+DKvgkfzGMAk8VKgh7gbVSuS174VFpjkrKFCHjjNkXiOidVIvLOcSAPWtBIq
1IK/COZtnMzqpjxOrtkps/L7JJP1IQSiZdYwZFDuNK9c8N7TAqRpR83DPPJS5dVk
5X+c/QY8Z7LGPaWW/tMGxxd9NakkCRy3Qs9OwCyxAWZXNDsz3hfH9zmw8Im8ptSD
P5RPCMoo9QPon5wsWdyr6kTTX73JPymvcJkNY/n8eIURNaPmaTFM589eQfO1xcFl
F7hj6pdXnzzrdZTdEqgHYbRUYbAJCPCW+DhfIjdfWmfIXVHwSDo+KB65Sv0lDouJ
aq6JFFy6cpKzZkEI2zXWw0WAVD4dHJqKe6ZcOiDG7zhUA9yr6j5WQDTZjgkM6fjz
CHatx+KD8AioKS5mnS6zw+8m5nfXFDrCJ5ufdTKU2EttifU0ruMuBapmvbmuRipQ
yvHMY7NfkHi46RScbah7FD5rybZP+1wEyDEGwfy89AWWkfWQ9TYCAt+tLojR8O5d
jK3YxIxpKHp11b670su+E6z/eG1tHIwxWNxXX5U3ETIv8k4a5xAUmyLluhede+yy
CA9wRufzbClKXbd+QkYobPNhid/VS2poMST0qeFa3yLvrr5je0KO0NFccBysk5jX
y+6wwmuCyz2txq3mGO52
=AQKV
-----END PGP SIGNATURE-----
_______________________________________________
Dnsmasq-discuss mailing list
Dnsmasq-discuss@lists.thekelleys.org.uk
http://lists.thekelleys.org.uk/mailman/listinfo/dnsmasq-discuss
--
Dave Täht
What will it take to vastly improve wifi for everyone?
https://plus.google.com/u/0/explore/makewififast
^ permalink raw reply [flat|nested] 2+ messages in thread
* Re: [Cerowrt-devel] Fwd: [Dnsmasq-discuss] dnssec-check-unsigned breaks linux.conf.au
2015-06-07 17:51 ` [Cerowrt-devel] Fwd: [Dnsmasq-discuss] dnssec-check-unsigned breaks linux.conf.au Dave Taht
@ 2015-06-07 18:03 ` Kevin Darbyshire-Bryant
0 siblings, 0 replies; 2+ messages in thread
From: Kevin Darbyshire-Bryant @ 2015-06-07 18:03 UTC (permalink / raw)
To: cerowrt-devel
[-- Attachment #1: Type: text/plain, Size: 3270 bytes --]
It is 2.73rc9(!) and I submitted a patch to openwrt this morning to bump
to that version (then I submitted version 2 to sort out the line wrapping)
There are a number of people hoping that a release is imminent but stuff
just keeps on being found.
Stop testing & looking in dark corners you fools :-)
On 07/06/15 18:51, Dave Taht wrote:
> if I haven't already said this, anybody using dnssec in
> cerowrt-3.10.50-1 should just disable it.
>
> The number of corner cases and bugs found and fixed in the last few
> months on dnssec has been pretty amazing. dnsmasq-2.73 is now at rc9 I
> think....
>
>
> ---------- Forwarded message ----------
> From: Simon Kelley <simon@thekelleys.org.uk>
> Date: Sun, Jun 7, 2015 at 1:53 AM
> Subject: Re: [Dnsmasq-discuss] dnssec-check-unsigned breaks linux.conf.au
> To: dnsmasq-discuss@lists.thekelleys.org.uk
>
>
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA256
>
> On 07/06/15 09:06, Karl-Johan Karlsson wrote:
>> On Sat 06 Jun 2015 23.16.42 Simon Kelley wrote:
>>> Turns out that this domain has a "weird" by valid use of NSEC3
>>> which broke dnsmasq's corner-case code.
>>>
>>> 2.73rc9 should fix it.
>> Thanks, it looks like it works.
>>
>>
> Good stuff.
>
> A longer explanation (using NSEC because it's easier to understand,
> NSEC3, which was used in this case, has the same principle but it less
> obvious to understand.)
>
>
> An NSEC record is a signed record that proves no names exist in a
> certain alphabetic range
>
> so
>
> apple.example.com NSEC cherry.example.com
>
> proves that
>
> bananna.example.com cannot exist.
>
>
> If the next name is before the name of the NSEC, then it covers the
> wrap-around region, so
>
> cherry.example.com NSEC apple.example.com
>
> proves there are no names after cherry, and no names before apple.
>
>
> The tricky one is
>
> apple.example.com NSEC apple.example.com
>
> The obvious answer is that proves nothing, and that's what the dnsmasq
> code calculated. In fact it's an instance of the wraparound case, and
> proves that _only_ apple exists.
>
> It's fun stuff, this DNSSEC.
>
>
> Simon.
>
>
> -----BEGIN PGP SIGNATURE-----
> Version: GnuPG v2.0.22 (GNU/Linux)
>
> iQIcBAEBCAAGBQJVdAaXAAoJEBXN2mrhkTWi3ysP/3h6YWQWbNFTKDYLtaxmE6B/
> o85j+DKvgkfzGMAk8VKgh7gbVSuS174VFpjkrKFCHjjNkXiOidVIvLOcSAPWtBIq
> 1IK/COZtnMzqpjxOrtkps/L7JJP1IQSiZdYwZFDuNK9c8N7TAqRpR83DPPJS5dVk
> 5X+c/QY8Z7LGPaWW/tMGxxd9NakkCRy3Qs9OwCyxAWZXNDsz3hfH9zmw8Im8ptSD
> P5RPCMoo9QPon5wsWdyr6kTTX73JPymvcJkNY/n8eIURNaPmaTFM589eQfO1xcFl
> F7hj6pdXnzzrdZTdEqgHYbRUYbAJCPCW+DhfIjdfWmfIXVHwSDo+KB65Sv0lDouJ
> aq6JFFy6cpKzZkEI2zXWw0WAVD4dHJqKe6ZcOiDG7zhUA9yr6j5WQDTZjgkM6fjz
> CHatx+KD8AioKS5mnS6zw+8m5nfXFDrCJ5ufdTKU2EttifU0ruMuBapmvbmuRipQ
> yvHMY7NfkHi46RScbah7FD5rybZP+1wEyDEGwfy89AWWkfWQ9TYCAt+tLojR8O5d
> jK3YxIxpKHp11b670su+E6z/eG1tHIwxWNxXX5U3ETIv8k4a5xAUmyLluhede+yy
> CA9wRufzbClKXbd+QkYobPNhid/VS2poMST0qeFa3yLvrr5je0KO0NFccBysk5jX
> y+6wwmuCyz2txq3mGO52
> =AQKV
> -----END PGP SIGNATURE-----
>
> _______________________________________________
> Dnsmasq-discuss mailing list
> Dnsmasq-discuss@lists.thekelleys.org.uk
> http://lists.thekelleys.org.uk/mailman/listinfo/dnsmasq-discuss
>
>
[-- Attachment #2: S/MIME Cryptographic Signature --]
[-- Type: application/pkcs7-signature, Size: 4791 bytes --]
^ permalink raw reply [flat|nested] 2+ messages in thread
end of thread, other threads:[~2015-06-07 18:03 UTC | newest]
Thread overview: 2+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
[not found] <4586744.SWlHNYxozs@orley>
[not found] ` <5573714A.2070902@thekelleys.org.uk>
[not found] ` <1912951.DO848rCvMM@orley>
[not found] ` <55740697.8030400@thekelleys.org.uk>
2015-06-07 17:51 ` [Cerowrt-devel] Fwd: [Dnsmasq-discuss] dnssec-check-unsigned breaks linux.conf.au Dave Taht
2015-06-07 18:03 ` Kevin Darbyshire-Bryant
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox