[Cerowrt-devel] Fwd: [Dnsmasq-discuss] dnssec-check-unsigned breaks linux.conf.au
kevin at darbyshire-bryant.me.uk
Sun Jun 7 14:03:32 EDT 2015
It is 2.73rc9(!) and I submitted a patch to openwrt this morning to bump
to that version (then I submitted version 2 to sort out the line wrapping)
There are a number of people hoping that a release is imminent but stuff
just keeps on being found.
Stop testing & looking in dark corners you fools :-)
On 07/06/15 18:51, Dave Taht wrote:
> if I haven't already said this, anybody using dnssec in
> cerowrt-3.10.50-1 should just disable it.
> The number of corner cases and bugs found and fixed in the last few
> months on dnssec has been pretty amazing. dnsmasq-2.73 is now at rc9 I
> ---------- Forwarded message ----------
> From: Simon Kelley <simon at thekelleys.org.uk>
> Date: Sun, Jun 7, 2015 at 1:53 AM
> Subject: Re: [Dnsmasq-discuss] dnssec-check-unsigned breaks linux.conf.au
> To: dnsmasq-discuss at lists.thekelleys.org.uk
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA256
> On 07/06/15 09:06, Karl-Johan Karlsson wrote:
>> On Sat 06 Jun 2015 23.16.42 Simon Kelley wrote:
>>> Turns out that this domain has a "weird" by valid use of NSEC3
>>> which broke dnsmasq's corner-case code.
>>> 2.73rc9 should fix it.
>> Thanks, it looks like it works.
> Good stuff.
> A longer explanation (using NSEC because it's easier to understand,
> NSEC3, which was used in this case, has the same principle but it less
> obvious to understand.)
> An NSEC record is a signed record that proves no names exist in a
> certain alphabetic range
> apple.example.com NSEC cherry.example.com
> proves that
> bananna.example.com cannot exist.
> If the next name is before the name of the NSEC, then it covers the
> wrap-around region, so
> cherry.example.com NSEC apple.example.com
> proves there are no names after cherry, and no names before apple.
> The tricky one is
> apple.example.com NSEC apple.example.com
> The obvious answer is that proves nothing, and that's what the dnsmasq
> code calculated. In fact it's an instance of the wraparound case, and
> proves that _only_ apple exists.
> It's fun stuff, this DNSSEC.
> -----BEGIN PGP SIGNATURE-----
> Version: GnuPG v2.0.22 (GNU/Linux)
> -----END PGP SIGNATURE-----
> Dnsmasq-discuss mailing list
> Dnsmasq-discuss at lists.thekelleys.org.uk
-------------- next part --------------
A non-text attachment was scrubbed...
Size: 4791 bytes
Desc: S/MIME Cryptographic Signature
More information about the Cerowrt-devel