Skip Menu |

This queue is for tickets about the Net-DNS-SEC CPAN distribution.

Report information
The Basics
Id: 81289
Status: resolved
Priority: 0/
Queue: Net-DNS-SEC
People
Owner: Nobody in particular
Requestors: 1fea [...] packet-pushers.com
Cc:
AdminCc:
Bug Information
Severity: Normal
Broken in: 0.16
Fixed in: (no value)

History Show all quoted text
  Mon Nov 19 18:08:54 2012 1fea [...] packet-pushers.com - Ticket created
Subject: Failure to handle GOST DS records
I am seeing some records created with GOST in the wild. DS.pm does not create a useful object when given such a record. For example from dig: dotsu.su. 345600 IN DS 13588 9 3 5C55272BFF1E290E9EAEF53A50C70A2A8CE96A64C6E4170B053B92C1 84B19F22 versus this from Net::DNS::Packet->print: dotsu.su. 345600 IN DS 13588 9 3 ; xexax The malformed DS record leads to this error when RRSIG->verify() is called trying to verify the DS rrset: Can't call method "name" on unblessed reference at /usr/local/share/perl/5.12.4/Net/DNS/RR/RRSIG.pm The culprit seems to be setting digestlength=0 for digest types other than 1 or 2. A proposed patch is attached. This of course does not enable cryptographic validation of GOST-related records, but please also consider this bug report a feature request for adding GOST support in general to Net::DNS::SEC.
Subject: net-dns-gost-ds.patch
Index: RR/DS.pm =================================================================== --- RR/DS.pm (revision 1053) +++ RR/DS.pm (working copy) @@ -44,7 +44,12 @@ $digestlength=20; # SHA1 digest 20 bytes long }elsif($self->{"digtype"}==2){ $digestlength=32; # SHA256 digest 32 bytes long + }elsif($self->{"digtype"}==3){ + $digestlength=32; # GOST digest 32 bytes long [RFC5933] + }elsif($self->{"digtype"}==4){ + $digestlength=32; # SHA-384 digest 32 bytes long [RFC6605] }else{ + confess("Unsupported digest type " .$self->{"digtype"}); $digestlength=0; }
  Mon Nov 19 18:36:56 2012 1fea [...] packet-pushers.com - Correspondence added
From: 1fea [...] packet-pushers.com
Here's a useful addendum to the original patch.
Subject: net-dns-sec.patch
Index: SEC.pm =================================================================== --- SEC.pm (revision 1053) +++ SEC.pm (working copy) @@ -286,6 +286,8 @@ my %digestbyname= ( "SHA1" => 1, "SHA256" => 2, + "GOST" => 3, + "SHA384" => 4, );
  Fri Feb 28 11:28:18 2014 rwfranks [...] acm.org - Correspondence added
From: rwfranks [...] acm.org
DS.pm rewritten, now on SVN trunk (at www.net-dns.org). The module architecture is radically different from 0.17, so may not work as a drop-in replacement. 0.18 should be along soon. Dick
  Fri Feb 28 11:28:18 2014 The RT System itself - Status changed from 'new' to 'open'
  Wed Apr 30 10:49:14 2014 NLNETLABS [...] cpan.org - Correspondence added
Fixed in the 0.18 release. Please try out the pre-release for that release: http://www.net-dns.org/download/Net-DNS-SEC-0.17_5.tar.gz
  Wed Apr 30 10:49:15 2014 NLNETLABS [...] cpan.org - Status changed from 'open' to 'resolved'