git.openwrt.org Git - openwrt/staging/wigyori.git/commit

dnsmasq: backport dnssec security fix

CVE-2017-15107

An interesting problem has turned up in DNSSEC validation. It turns out
that NSEC records expanded from wildcards are allowed, so a domain can
include an NSEC record for *.example.org and an actual query reply could
expand that to anything in example.org and still have it signed by the
signature for the wildcard. So, for example

!.example.org NSEC zz.example.org

is fine.

The problem is that most implementers (your author included, but also
the Google public DNS people, powerdns and Unbound) then took that
record to prove the nothing exists between !.example.org and
zz.example.org, whereas in fact it only provides that proof between
*.example.org and zz.example.org.

This gives an attacker a way to prove that anything between
!.example.org and *.example.org doesn't exists, when it may well do so.

Signed-off-by: Kevin Darbyshire-Bryant <ldir@darbyshire-bryant.me.uk>

author	Kevin Darbyshire-Bryant <ldir@darbyshire-bryant.me.uk>
	Fri, 19 Jan 2018 17:16:08 +0000 (17:16 +0000)
committer	Hans Dedecker <dedeckeh@gmail.com>
	Fri, 19 Jan 2018 21:11:16 +0000 (22:11 +0100)
commit	a3198061f80a7f3933810cd99206b085e4cf49f9
tree	08af0a10a298d17b794315b66af914e080c73c04	tree \| snapshot
parent	9c2ac19b032c81a454f1efbcf5681b80cad2fa39	commit \| diff

package/network/services/dnsmasq/Makefile		diff \| blob \| history
package/network/services/dnsmasq/patches/270-dnssec-wildcards.patch	[new file with mode: 0644]	blob