RSA/SHA1-NSEC3-SHA1 signature bug?

RSA/SHA1-NSEC3-SHA1 signature bug?

[Michael Tremer]

[-- Attachment #1: Type: text/plain, Size: 544 bytes --]

Hello fellow dnsmasq users,

there is a topic on the IPFire support forums I would like to point you
to:

  http://forum.ipfire.org/index.php?topic=11726.0

It appears that dnsmasq cannot verify resource records of a
DNSSEC-enabled domain. That domain uses RSA/SHA1-NSEC3-SHA1 for its
signatures. Although there is some code in dnsmasq that is supposed to
handle this, it does not verify the records correctly.

Did anyone else experience this problem? Is it a bug with dnsmasq or the
authoritative name servers of that domain?

Best,
-Michael

[-- Attachment #2: signature.asc --]
[-- Type: application/pgp-signature, Size: 819 bytes --]

Re: RSA/SHA1-NSEC3-SHA1 signature bug?

[R. W. Rodolico]

[-- Attachment #1: Type: text/plain, Size: 1853 bytes --]

I have been having a similar sounding bug on one of my routers. It uses
DHCP for the outside IP. The DNS does not resolve from the router itself
(ie, from routers cli I "dig dailydata.net" and get a null return).

I changed the DNS server to 8.8.8.8 (to keep from using the providers
DNS), rebooted (to hopefully clear any cache and restart dnsmasq), and
have the same issue. However, doing "dig @8.8.8.8 dailydata.net" returns
a valid result and, after that, I can resolve other sites.

This is low priority for me since I set the client machines (Windoze
workstations) to 8.8.8.8 via the internal DHCP and they work fine. When
I go to do the update, however, I have the one additional step of doing
a "dig @8.8.8.8" first, then I can do pakfire upgrade/update.

If anyone can tell me something to do to try and track it down, I will
be happy to do it. At the least, I guess I can follow the forum topic
and see if I get similar results.

Rod

On 10/21/2014 08:11 AM, Michael Tremer wrote:
> Hello fellow dnsmasq users,
> 
> there is a topic on the IPFire support forums I would like to point you
> to:
> 
>   http://forum.ipfire.org/index.php?topic=11726.0
> 
> It appears that dnsmasq cannot verify resource records of a
> DNSSEC-enabled domain. That domain uses RSA/SHA1-NSEC3-SHA1 for its
> signatures. Although there is some code in dnsmasq that is supposed to
> handle this, it does not verify the records correctly.
> 
> Did anyone else experience this problem? Is it a bug with dnsmasq or the
> authoritative name servers of that domain?
> 
> Best,
> -Michael
> 
> 
> 
> _______________________________________________
> Development mailing list
> Development(a)lists.ipfire.org
> http://lists.ipfire.org/mailman/listinfo/development
> 

-- 
"Rod" Rodolico
Daily Data, Inc.
POB 140465
Dallas TX 75214-0465
214.827.2170
http://www.dailydata.net

Re: RSA/SHA1-NSEC3-SHA1 signature bug?

[R. W. Rodolico]

[-- Attachment #1: Type: text/plain, Size: 1090 bytes --]

Ignore my previous e-mail. My problem is not related. It appears to be
an issue with setup not reading/writing
/var/ipfire/dns/settings.something. I'm trying to track it down.

Rod

On 10/21/2014 08:11 AM, Michael Tremer wrote:
> Hello fellow dnsmasq users,
> 
> there is a topic on the IPFire support forums I would like to point you
> to:
> 
>   http://forum.ipfire.org/index.php?topic=11726.0
> 
> It appears that dnsmasq cannot verify resource records of a
> DNSSEC-enabled domain. That domain uses RSA/SHA1-NSEC3-SHA1 for its
> signatures. Although there is some code in dnsmasq that is supposed to
> handle this, it does not verify the records correctly.
> 
> Did anyone else experience this problem? Is it a bug with dnsmasq or the
> authoritative name servers of that domain?
> 
> Best,
> -Michael
> 
> 
> 
> _______________________________________________
> Development mailing list
> Development(a)lists.ipfire.org
> http://lists.ipfire.org/mailman/listinfo/development
> 

-- 
"Rod" Rodolico
Daily Data, Inc.
POB 140465
Dallas TX 75214-0465
214.827.2170
http://www.dailydata.net

Re: RSA/SHA1-NSEC3-SHA1 signature bug?

[Michael Tremer]

[-- Attachment #1: Type: text/plain, Size: 1346 bytes --]

Hey,

there could be something wrong with your firewall rules which don't
allow the firewall to access the DNS servers. This must be port 53 UDP
and TCP.

You could also check if dnsmasq is still alive and not crashing...

Best,
-Michael

On Wed, 2014-10-22 at 00:58 -0500, R. W. Rodolico wrote:
> Ignore my previous e-mail. My problem is not related. It appears to be
> an issue with setup not reading/writing
> /var/ipfire/dns/settings.something. I'm trying to track it down.
> 
> Rod
> 
> On 10/21/2014 08:11 AM, Michael Tremer wrote:
> > Hello fellow dnsmasq users,
> > 
> > there is a topic on the IPFire support forums I would like to point you
> > to:
> > 
> >   http://forum.ipfire.org/index.php?topic=11726.0
> > 
> > It appears that dnsmasq cannot verify resource records of a
> > DNSSEC-enabled domain. That domain uses RSA/SHA1-NSEC3-SHA1 for its
> > signatures. Although there is some code in dnsmasq that is supposed to
> > handle this, it does not verify the records correctly.
> > 
> > Did anyone else experience this problem? Is it a bug with dnsmasq or the
> > authoritative name servers of that domain?
> > 
> > Best,
> > -Michael
> > 
> > 
> > 
> > _______________________________________________
> > Development mailing list
> > Development(a)lists.ipfire.org
> > http://lists.ipfire.org/mailman/listinfo/development
> > 
> 

[-- Attachment #2: signature.asc --]
[-- Type: application/pgp-signature, Size: 819 bytes --]