From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: from mail-ob0-x22c.google.com (mail-ob0-x22c.google.com [IPv6:2607:f8b0:4003:c01::22c]) (using TLSv1 with cipher RC4-SHA (128/128 bits)) (Client CN "smtp.gmail.com", Issuer "Google Internet Authority G2" (verified OK)) by huchra.bufferbloat.net (Postfix) with ESMTPS id 3B95E21F56F for ; Sun, 7 Jun 2015 10:51:05 -0700 (PDT) Received: by obbqz1 with SMTP id qz1so66266692obb.3 for ; Sun, 07 Jun 2015 10:51:04 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=mime-version:in-reply-to:references:date:message-id:subject:from:to :content-type:content-transfer-encoding; bh=feN5QLPSzDskcp3MIAngFqQSLaZFcJU03nh297v/DPI=; b=ASk9FKvahpQEW2XMkE8mIM6DeQtupSE/QCW+Q5hh4N9rUd3GEQPcPuXkE2mMd/F+Bx 0XSS98qfrNLFljsQLyfqM6LIpCbUK4WRDGaQkuIqxRY/jiZt7RIb7CRKLiKCSSOp58Rn T+RocWHkgeJCUtxXLStiMVZqLT5dqx3zJeWqCqsmqjU2CSVQ/zsvYK9MECJZrfWxkgYm vqhA20g2B0imCWXcjIQsCBtMk0T1g38LvFFSffOCw3RBWlL4mSX7y2Smv2sGanesIQEa nBvm7VnT4jP/uZY2Gm7/jpqtAruRbJIL7jJbwgpweswq1MaCJvYsDSijYzdnMopLic+T DTRw== MIME-Version: 1.0 X-Received: by 10.60.147.194 with SMTP id tm2mr11351989oeb.75.1433699464410; Sun, 07 Jun 2015 10:51:04 -0700 (PDT) Received: by 10.202.105.129 with HTTP; Sun, 7 Jun 2015 10:51:04 -0700 (PDT) In-Reply-To: <55740697.8030400@thekelleys.org.uk> References: <4586744.SWlHNYxozs@orley> <5573714A.2070902@thekelleys.org.uk> <1912951.DO848rCvMM@orley> <55740697.8030400@thekelleys.org.uk> Date: Sun, 7 Jun 2015 10:51:04 -0700 Message-ID: From: Dave Taht To: "cerowrt-devel@lists.bufferbloat.net" Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: quoted-printable Subject: [Cerowrt-devel] Fwd: [Dnsmasq-discuss] dnssec-check-unsigned breaks linux.conf.au X-BeenThere: cerowrt-devel@lists.bufferbloat.net X-Mailman-Version: 2.1.13 Precedence: list List-Id: Development issues regarding the cerowrt test router project List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sun, 07 Jun 2015 17:51:34 -0000 if I haven't already said this, anybody using dnssec in cerowrt-3.10.50-1 should just disable it. The number of corner cases and bugs found and fixed in the last few months on dnssec has been pretty amazing. dnsmasq-2.73 is now at rc9 I think.... ---------- Forwarded message ---------- From: Simon Kelley Date: Sun, Jun 7, 2015 at 1:53 AM Subject: Re: [Dnsmasq-discuss] dnssec-check-unsigned breaks linux.conf.au To: dnsmasq-discuss@lists.thekelleys.org.uk -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 On 07/06/15 09:06, Karl-Johan Karlsson wrote: > On Sat 06 Jun 2015 23.16.42 Simon Kelley wrote: >> Turns out that this domain has a "weird" by valid use of NSEC3 >> which broke dnsmasq's corner-case code. >> >> 2.73rc9 should fix it. > > Thanks, it looks like it works. > > Good stuff. A longer explanation (using NSEC because it's easier to understand, NSEC3, which was used in this case, has the same principle but it less obvious to understand.) An NSEC record is a signed record that proves no names exist in a certain alphabetic range so apple.example.com NSEC cherry.example.com proves that bananna.example.com cannot exist. If the next name is before the name of the NSEC, then it covers the wrap-around region, so cherry.example.com NSEC apple.example.com proves there are no names after cherry, and no names before apple. The tricky one is apple.example.com NSEC apple.example.com The obvious answer is that proves nothing, and that's what the dnsmasq code calculated. In fact it's an instance of the wraparound case, and proves that _only_ apple exists. It's fun stuff, this DNSSEC. Simon. -----BEGIN PGP SIGNATURE----- Version: GnuPG v2.0.22 (GNU/Linux) iQIcBAEBCAAGBQJVdAaXAAoJEBXN2mrhkTWi3ysP/3h6YWQWbNFTKDYLtaxmE6B/ o85j+DKvgkfzGMAk8VKgh7gbVSuS174VFpjkrKFCHjjNkXiOidVIvLOcSAPWtBIq 1IK/COZtnMzqpjxOrtkps/L7JJP1IQSiZdYwZFDuNK9c8N7TAqRpR83DPPJS5dVk 5X+c/QY8Z7LGPaWW/tMGxxd9NakkCRy3Qs9OwCyxAWZXNDsz3hfH9zmw8Im8ptSD P5RPCMoo9QPon5wsWdyr6kTTX73JPymvcJkNY/n8eIURNaPmaTFM589eQfO1xcFl F7hj6pdXnzzrdZTdEqgHYbRUYbAJCPCW+DhfIjdfWmfIXVHwSDo+KB65Sv0lDouJ aq6JFFy6cpKzZkEI2zXWw0WAVD4dHJqKe6ZcOiDG7zhUA9yr6j5WQDTZjgkM6fjz CHatx+KD8AioKS5mnS6zw+8m5nfXFDrCJ5ufdTKU2EttifU0ruMuBapmvbmuRipQ yvHMY7NfkHi46RScbah7FD5rybZP+1wEyDEGwfy89AWWkfWQ9TYCAt+tLojR8O5d jK3YxIxpKHp11b670su+E6z/eG1tHIwxWNxXX5U3ETIv8k4a5xAUmyLluhede+yy CA9wRufzbClKXbd+QkYobPNhid/VS2poMST0qeFa3yLvrr5je0KO0NFccBysk5jX y+6wwmuCyz2txq3mGO52 =3DAQKV -----END PGP SIGNATURE----- _______________________________________________ Dnsmasq-discuss mailing list Dnsmasq-discuss@lists.thekelleys.org.uk http://lists.thekelleys.org.uk/mailman/listinfo/dnsmasq-discuss --=20 Dave T=C3=A4ht What will it take to vastly improve wifi for everyone? https://plus.google.com/u/0/explore/makewififast