Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Update embedded dnsmasq to v2.88rc1 #1484

Merged
merged 4 commits into from
Nov 17, 2022
Merged

Update embedded dnsmasq to v2.88rc1 #1484

merged 4 commits into from
Nov 17, 2022

Conversation

DL6ER
Copy link
Member

@DL6ER DL6ER commented Nov 16, 2022
edited
Loading

Thank you for your contribution to the Pi-hole Community!

Please read the comments below to help us consider your Pull Request.

We are all volunteers and completing the process outlined will help us review your commits quicker.

Please make sure you

  1. Base your code and PRs against the repositories developmental branch.
  2. Sign Off all commits as we enforce the DCO for all contributions
  3. Sign all your commits as they must have verified signatures
  4. File a pull request for any change that requires changes to our documentation at our documentation repo

What does this PR aim to accomplish?:

Update embedded dnsmasq to v2.88rc1

How does this PR accomplish the above?:

Incorporate three commits from upstream dnsmasq. Noteworthy Changelog entry is:

Handle DS records for unsupported crypto algorithms correctly.
Such a DS, as long as it is validated, should allow answers
in the domain is attests to be returned as unvalidated, and not
as a validation error.

We are not affected by the fix in c030b2d as it only affects older versions of nettle lower than 3.6 (FTL is built against the most recent version 3.8.1).

BEFORE (current master and development)
Screenshot from 2022-11-16 21-50-07

NOW (this branch)
Screenshot from 2022-11-16 21-50-28

This is the rootcanary.org test. Records signed with RSA-MD5, DSA and DSA-NSEC-SHA1 are returned without being verified as specified in the DNSSEC Validation column of RFC 8624 para 3.1.

Link documentation PRs if any are needed to support this PR:

-/-

By submitting this pull request, I confirm the following:

  1. I have read and understood the contributors guide, as well as this entire template. I understand which branch to base my commits and Pull Requests against.
  2. I have commented my proposed changes within the code and I have tested my changes.
  3. I am willing to help maintain this change if there are issues with it later.
  4. It is compatible with the EUPL 1.2 license
  5. I have squashed any insignificant commits. (git rebase)
  6. I have checked that another pull request for this purpose does not exist.
  7. I have considered, and confirmed that this submission will be valuable to others.
  8. I accept that this submission may not be used, and the pull request closed at the will of the maintainer.
  9. I give this submission freely, and claim no ownership to its content.
  • I have read the above and my PR is ready for review. Check this box to confirm

simonkelley and others added 4 commits November 16, 2022 21:44
@simonkelley @DL6ER
Handle known DNSSEC signature algorithms which are not supported.
c030b2d 
This fixes a confusion if certain algorithms are not supported
because the version is the crypto library is too old.  The validation
should be treated the same as for a completely unknown algorithm,
(ie return unverified answer) and not as a validation failure
(ie return SERVFAIL).

The algorithems affected are GOST and ED448.

Signed-off-by: DL6ER <[email protected]>
@simonkelley @DL6ER
Fix GOST signature algorithms for DNSSEC validation.
b6e61c2 
Use CryptoPro version of the hash function.
Handle the little-endian wire format of key data.
Get the wire order of S and R correct.

Note that Nettle version 3.6 or later is required for GOST support.

Signed-off-by: DL6ER <[email protected]>
@simonkelley @DL6ER
Handle DS records for unsupported crypto algorithms correctly.
bc1acb2 
Such a DS, as long as it is validated, should allow answers
in the domain is attests to be returned as unvalidated, and not
as a validation error.

Signed-off-by: DL6ER <[email protected]>
@DL6ER
Update embedded dnsmasq to v2.88rc1
b72d3b7 
Signed-off-by: DL6ER <[email protected]>
@DL6ER DL6ER requested a review from a team November 16, 2022 20:53
@DL6ER DL6ER added the PR: Approval Required Open Pull Request, needs approval label Nov 16, 2022
@pralor-bot
Copy link

This pull request has been mentioned on Pi-hole Userspace. There might be relevant details there:

https://discourse.pi-hole.net/t/dnssec-ed448/58924/38

@DL6ER DL6ER merged commit 08b347b into development Nov 17, 2022
@DL6ER DL6ER mentioned this pull request Nov 17, 2022
Merged
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@yubiuser yubiuser yubiuser approved these changes

Assignees
No one assigned
Labels
dnsmasq update PR: Approval Required Open Pull Request, needs approval
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
4 participants
@DL6ER @pralor-bot @yubiuser @simonkelley