dnsmasq: backport dnssec security fix for 17.01
authorKevin Darbyshire-Bryant <ldir@darbyshire-bryant.me.uk>
Fri, 19 Jan 2018 17:15:41 +0000 (17:15 +0000)
committerHans Dedecker <dedeckeh@gmail.com>
Fri, 19 Jan 2018 21:04:15 +0000 (22:04 +0100)
commit58d60bd283c6401db8fcad94e3c45e2115a16553
tree1003612ec477cddcc49de5baf5d438bc0dab9b67
parentd626aa005be1e3f815b02c6dd72cf5b329339ef0
dnsmasq: backport dnssec security fix for 17.01

CVE-2017-15107

An interesting problem has turned up in DNSSEC validation. It turns out
that NSEC records expanded from wildcards are allowed, so a domain can
include an NSEC record for *.example.org and an actual query reply could
expand that to anything in example.org  and still have it signed by the
signature for the wildcard. So, for example

!.example.org NSEC zz.example.org

is fine.

The problem is that most implementers (your author included, but also
the Google public DNS people, powerdns and Unbound) then took that
record to prove the nothing exists between !.example.org and
zz.example.org, whereas in fact it only provides that proof between
*.example.org and zz.example.org.

This gives an attacker a way to prove that anything between
!.example.org and *.example.org doesn't exists, when it may well do so.

Signed-off-by: Kevin Darbyshire-Bryant <ldir@darbyshire-bryant.me.uk>
package/network/services/dnsmasq/Makefile
package/network/services/dnsmasq/patches/270-dnssec-wildcards.patch [new file with mode: 0644]