racoon stops on RRSIG in getcertsbyname

Bug #1211053 reported by ruff on 2013-08-11
8
This bug affects 1 person
Affects Status Importance Assigned to Milestone
ipsec-tools (Ubuntu)
Low
Unassigned

Bug Description

When using peers_certfile dnssec for racoon, it makes CERT RR lookup to fetch cert from DNS.
If CERT RR is protected by DNSSEC (as it's supposed to be) resolver will (may?) return RRSIG record to allow RR validity checks in app.
Current implementation of getcertsbyname (with patches) already sets NSEC options and checks authentity flag, however it bails on RRSIG.
Proposed patch simply makes function to continue on non-CERT RRs since there's no current framework to use RRSIG validation. With this approach it will iterate through entire reply in attempt to fish CERT RRs from an answer.

ruff (rufferson) wrote :
ruff (rufferson) wrote :

with the patch debug output looks following
get a DNS packet len=1964
type=1 keytag=0 alg=5 len=884
not T_CERT[46]
getcertsbyname succeeded.
certinfo[0]:
        ci_type=1
        ci_keytag=0
        ci_algorithm=5
        ci_flags=0
        ci_certlen=884
        ci_cert: MIIDcD...
without it stops after "not T_CERT" message.

The attachment "getcertsbyname-skip-rrsig.patch" seems to be a patch. If it isn't, please remove the "patch" flag from the attachment, remove the "patch" tag, and if you are a member of the ~ubuntu-reviewers, unsubscribe the team.

[This is an automated message performed by a Launchpad user owned by ~brian-murray, for any issues please contact him.]

tags: added: patch
Changed in ipsec-tools (Ubuntu):
importance: Undecided → Low
To post a comment you must log in.
This report contains Public information  Edit
Everyone can see this information.

Other bug subscribers