[Cerowrt-devel] Fwd: [Dnsmasq-discuss] dnssec-check-unsigned breaks linux.conf.au
dave.taht at gmail.com
Sun Jun 7 13:51:04 EDT 2015
if I haven't already said this, anybody using dnssec in
cerowrt-3.10.50-1 should just disable it.
The number of corner cases and bugs found and fixed in the last few
months on dnssec has been pretty amazing. dnsmasq-2.73 is now at rc9 I
---------- Forwarded message ----------
From: Simon Kelley <simon at thekelleys.org.uk>
Date: Sun, Jun 7, 2015 at 1:53 AM
Subject: Re: [Dnsmasq-discuss] dnssec-check-unsigned breaks linux.conf.au
To: dnsmasq-discuss at lists.thekelleys.org.uk
-----BEGIN PGP SIGNED MESSAGE-----
On 07/06/15 09:06, Karl-Johan Karlsson wrote:
> On Sat 06 Jun 2015 23.16.42 Simon Kelley wrote:
>> Turns out that this domain has a "weird" by valid use of NSEC3
>> which broke dnsmasq's corner-case code.
>> 2.73rc9 should fix it.
> Thanks, it looks like it works.
A longer explanation (using NSEC because it's easier to understand,
NSEC3, which was used in this case, has the same principle but it less
obvious to understand.)
An NSEC record is a signed record that proves no names exist in a
certain alphabetic range
apple.example.com NSEC cherry.example.com
bananna.example.com cannot exist.
If the next name is before the name of the NSEC, then it covers the
wrap-around region, so
cherry.example.com NSEC apple.example.com
proves there are no names after cherry, and no names before apple.
The tricky one is
apple.example.com NSEC apple.example.com
The obvious answer is that proves nothing, and that's what the dnsmasq
code calculated. In fact it's an instance of the wraparound case, and
proves that _only_ apple exists.
It's fun stuff, this DNSSEC.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2.0.22 (GNU/Linux)
-----END PGP SIGNATURE-----
Dnsmasq-discuss mailing list
Dnsmasq-discuss at lists.thekelleys.org.uk
What will it take to vastly improve wifi for everyone?
More information about the Cerowrt-devel