racoon stops on RRSIG in getcertsbyname
Bug #1211053 reported by
ruff
This bug affects 1 person
Affects | Status | Importance | Assigned to | Milestone | |
---|---|---|---|---|---|
ipsec-tools (Ubuntu) |
New
|
Low
|
Unassigned |
Bug Description
When using peers_certfile dnssec for racoon, it makes CERT RR lookup to fetch cert from DNS.
If CERT RR is protected by DNSSEC (as it's supposed to be) resolver will (may?) return RRSIG record to allow RR validity checks in app.
Current implementation of getcertsbyname (with patches) already sets NSEC options and checks authentity flag, however it bails on RRSIG.
Proposed patch simply makes function to continue on non-CERT RRs since there's no current framework to use RRSIG validation. With this approach it will iterate through entire reply in attempt to fish CERT RRs from an answer.
Changed in ipsec-tools (Ubuntu): | |
importance: | Undecided → Low |
To post a comment you must log in.
with the patch debug output looks following
ci_algorithm= 5
ci_certlen= 884
get a DNS packet len=1964
type=1 keytag=0 alg=5 len=884
not T_CERT[46]
getcertsbyname succeeded.
certinfo[0]:
ci_type=1
ci_keytag=0
ci_flags=0
ci_cert: MIIDcD...
without it stops after "not T_CERT" message.