racoon stops on RRSIG in getcertsbyname

Bug #1211053 reported by ruff
8
This bug affects 1 person
Affects Status Importance Assigned to Milestone
ipsec-tools (Ubuntu)
New
Low
Unassigned

Bug Description

When using peers_certfile dnssec for racoon, it makes CERT RR lookup to fetch cert from DNS.
If CERT RR is protected by DNSSEC (as it's supposed to be) resolver will (may?) return RRSIG record to allow RR validity checks in app.
Current implementation of getcertsbyname (with patches) already sets NSEC options and checks authentity flag, however it bails on RRSIG.
Proposed patch simply makes function to continue on non-CERT RRs since there's no current framework to use RRSIG validation. With this approach it will iterate through entire reply in attempt to fish CERT RRs from an answer.

Revision history for this message
ruff (rufferson) wrote :
Revision history for this message
ruff (rufferson) wrote :

with the patch debug output looks following
get a DNS packet len=1964
type=1 keytag=0 alg=5 len=884
not T_CERT[46]
getcertsbyname succeeded.
certinfo[0]:
        ci_type=1
        ci_keytag=0
        ci_algorithm=5
        ci_flags=0
        ci_certlen=884
        ci_cert: MIIDcD...
without it stops after "not T_CERT" message.

Revision history for this message
Ubuntu Foundations Team Bug Bot (crichton) wrote :

The attachment "getcertsbyname-skip-rrsig.patch" seems to be a patch. If it isn't, please remove the "patch" flag from the attachment, remove the "patch" tag, and if you are a member of the ~ubuntu-reviewers, unsubscribe the team.

[This is an automated message performed by a Launchpad user owned by ~brian-murray, for any issues please contact him.]

tags: added: patch
Changed in ipsec-tools (Ubuntu):
importance: Undecided → Low
To post a comment you must log in.
This report contains Public information  
Everyone can see this information.

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.