[Cerowrt-devel] Fwd: [Dnsmasq-discuss] dnssec-check-unsigned breaks linux.conf.au

Kevin Darbyshire-Bryant kevin at darbyshire-bryant.me.uk
Sun Jun 7 14:03:32 EDT 2015


It is 2.73rc9(!) and I submitted a patch to openwrt this morning to bump 
to that version (then I submitted version 2 to sort out the line wrapping)

There are a number of people hoping that a release is imminent but stuff 
just keeps on being found.

Stop testing & looking in dark corners you fools :-)

On 07/06/15 18:51, Dave Taht wrote:
> if I haven't already said this, anybody using dnssec in
> cerowrt-3.10.50-1 should just disable it.
>
> The number of corner cases and bugs found and fixed in the last few
> months on dnssec has been pretty amazing. dnsmasq-2.73 is now at rc9 I
> think....
>
>
> ---------- Forwarded message ----------
> From: Simon Kelley <simon at thekelleys.org.uk>
> Date: Sun, Jun 7, 2015 at 1:53 AM
> Subject: Re: [Dnsmasq-discuss] dnssec-check-unsigned breaks linux.conf.au
> To: dnsmasq-discuss at lists.thekelleys.org.uk
>
>
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA256
>
> On 07/06/15 09:06, Karl-Johan Karlsson wrote:
>> On Sat 06 Jun 2015 23.16.42 Simon Kelley wrote:
>>> Turns out that this domain has a "weird" by valid use of NSEC3
>>> which broke dnsmasq's corner-case code.
>>>
>>> 2.73rc9 should fix it.
>> Thanks, it looks like it works.
>>
>>
> Good stuff.
>
> A longer explanation (using NSEC because it's easier to understand,
> NSEC3, which was used in this case, has the same principle but it less
> obvious to understand.)
>
>
> An NSEC record is a signed record that proves no names exist in a
> certain alphabetic range
>
> so
>
> apple.example.com  NSEC cherry.example.com
>
> proves that
>
> bananna.example.com cannot exist.
>
>
> If the next name is before the name of the NSEC, then it covers the
> wrap-around region, so
>
> cherry.example.com NSEC apple.example.com
>
> proves there are no names after cherry, and no names before apple.
>
>
> The tricky one is
>
> apple.example.com NSEC apple.example.com
>
> The obvious answer is that proves nothing, and that's what the dnsmasq
> code calculated. In fact it's an instance of the wraparound case, and
> proves that _only_ apple exists.
>
> It's fun stuff, this DNSSEC.
>
>
> Simon.
>
>
> -----BEGIN PGP SIGNATURE-----
> Version: GnuPG v2.0.22 (GNU/Linux)
>
> iQIcBAEBCAAGBQJVdAaXAAoJEBXN2mrhkTWi3ysP/3h6YWQWbNFTKDYLtaxmE6B/
> o85j+DKvgkfzGMAk8VKgh7gbVSuS174VFpjkrKFCHjjNkXiOidVIvLOcSAPWtBIq
> 1IK/COZtnMzqpjxOrtkps/L7JJP1IQSiZdYwZFDuNK9c8N7TAqRpR83DPPJS5dVk
> 5X+c/QY8Z7LGPaWW/tMGxxd9NakkCRy3Qs9OwCyxAWZXNDsz3hfH9zmw8Im8ptSD
> P5RPCMoo9QPon5wsWdyr6kTTX73JPymvcJkNY/n8eIURNaPmaTFM589eQfO1xcFl
> F7hj6pdXnzzrdZTdEqgHYbRUYbAJCPCW+DhfIjdfWmfIXVHwSDo+KB65Sv0lDouJ
> aq6JFFy6cpKzZkEI2zXWw0WAVD4dHJqKe6ZcOiDG7zhUA9yr6j5WQDTZjgkM6fjz
> CHatx+KD8AioKS5mnS6zw+8m5nfXFDrCJ5ufdTKU2EttifU0ruMuBapmvbmuRipQ
> yvHMY7NfkHi46RScbah7FD5rybZP+1wEyDEGwfy89AWWkfWQ9TYCAt+tLojR8O5d
> jK3YxIxpKHp11b670su+E6z/eG1tHIwxWNxXX5U3ETIv8k4a5xAUmyLluhede+yy
> CA9wRufzbClKXbd+QkYobPNhid/VS2poMST0qeFa3yLvrr5je0KO0NFccBysk5jX
> y+6wwmuCyz2txq3mGO52
> =AQKV
> -----END PGP SIGNATURE-----
>
> _______________________________________________
> Dnsmasq-discuss mailing list
> Dnsmasq-discuss at lists.thekelleys.org.uk
> http://lists.thekelleys.org.uk/mailman/listinfo/dnsmasq-discuss
>
>


-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 4791 bytes
Desc: S/MIME Cryptographic Signature
URL: <https://lists.bufferbloat.net/pipermail/cerowrt-devel/attachments/20150607/a062f53c/attachment-0002.bin>


More information about the Cerowrt-devel mailing list