Bug#761654: marked as done (dnsmasq: The AD flag is set in every cached answer.)

Debian Bug Tracking System Wed, 24 Sep 2014 04:52:03 -0700

Your message dated Wed, 24 Sep 2014 11:49:10 +0000
with message-id <[email protected]>
and subject line Bug#761654: fixed in dnsmasq 2.72-1
has caused the Debian Bug report #761654,
regarding dnsmasq: The AD flag is set in every cached answer.
to be marked as done.


This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact [email protected]
immediately.)


-- 
761654: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=761654
Debian Bug Tracking System
Contact [email protected] with problems

--- Begin Message ---

Package: dnsmasq
Version: 2.62-3+deb7u1
Severity: normal
Tags: upstream

Dear Maintainer,

   * What led up to the situation?

Asking dnsmasq for a domain/hostname with the "AD" flag set results
in a response with the AD flag, if the response comes from the cache.

   * What exactly did you do (or not do) that was effective (or
     ineffective)?

    ; <<>> DiG 9.8.4-rpz2+rl005.12-P1 <<>> www.heise.de +adflag
    …
    ;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 5, ADDITIONAL: 5
    ;; QUESTION SECTION:
    ;www.heise.de.                      IN      A
    ;; ANSWER SECTION:
    www.heise.de.               3600    IN      A       193.99.144.85
    …
    ;; Query time: 82 msec
    ;; SERVER: 127.0.0.1#53(127.0.0.1)
    ;; WHEN: Mon Sep 15 14:56:46 2014
    ;; MSG SIZE  rcvd: 252

Now the same query, just some seconds later:

    ; <<>> DiG 9.8.4-rpz2+rl005.12-P1 <<>> www.heise.de +adflag
    …
    ;; flags: qr rd ra ad; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 0
    ;; QUESTION SECTION:
    ;www.heise.de.                      IN      A
    ;; ANSWER SECTION:
    www.heise.de.               3564    IN      A       193.99.144.85
    ;; Query time: 0 msec
    ;; SERVER: 127.0.0.1#53(127.0.0.1)
    ;; WHEN: Mon Sep 15 14:57:22 2014
    ;; MSG SIZE  rcvd: 46

The query time and the reduced TTL shows that the answer comes from the
dnsmasq cache. The heise.de domain is not DNSSEC protected (no DS
records exist. I would not expect the AD flag set in such case!

Having the AD flag in such case may introduce a security hole. A local
client could trust the flag … 

-- System Information:
Debian Release: 7.6
  APT prefers stable-updates
  APT policy: (500, 'stable-updates'), (500, 'stable')
Architecture: amd64 (x86_64)
Foreign Architectures: i386

Kernel: Linux 3.2.0-4-amd64 (SMP w/4 CPU cores)
Locale: LANG=C, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash

Versions of packages dnsmasq depends on:
ii  adduser       3.113+nmu3
ii  dnsmasq-base  2.62-3+deb7u1
ii  netbase       5.0

dnsmasq recommends no packages.

Versions of packages dnsmasq suggests:
ii  resolvconf  1.67

-- no debconf information

--- End Message ---

--- Begin Message ---

Source: dnsmasq
Source-Version: 2.72-1

We believe that the bug you reported is fixed in the latest version of
dnsmasq, which is due to be installed in the Debian FTP archive.

A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to [email protected],
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Simon Kelley <[email protected]> (supplier of updated dnsmasq package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing [email protected])


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

Format: 1.8
Date: Tue, 20 May 2014 21:01:11 +0000
Source: dnsmasq
Binary: dnsmasq dnsmasq-base dnsmasq-utils
Architecture: source amd64 all
Version: 2.72-1
Distribution: unstable
Urgency: low
Maintainer: Simon Kelley <[email protected]>
Changed-By: Simon Kelley <[email protected]>
Description:
 dnsmasq    - Small caching DNS proxy and DHCP/TFTP server
 dnsmasq-base - Small caching DNS proxy and DHCP/TFTP server
 dnsmasq-utils - Utilities for manipulating DHCP leases
Closes: 760460 761654
Changes:
 dnsmasq (2.72-1) unstable; urgency=low
 .
    * New upstream.
    * If dns-root-data package is installed, use it to set the DNSSEC
      trust anchor(s). Recommend dns-root-data. (closes: #760460)
    * Handle AD bit correctly in replies from cache. (closes: #761654)
Checksums-Sha1:
 7ffc6489a5cd6a7cddb2a2ee461e922db9b23fec 1837 dnsmasq_2.72-1.dsc
 bfb12316ba1601db954a66bbc9c1aa917d9a7871 657779 dnsmasq_2.72.orig.tar.gz
 bc5d86f69a42a2e52c7bffbc6df75cc436908eb3 21483 dnsmasq_2.72-1.diff.gz
 370c732c43c834983f8d27092ec55b53273629b0 402256 dnsmasq-base_2.72-1_amd64.deb
 681870462f4179d507437226d7a1eebc225791c4 18652 dnsmasq-utils_2.72-1_amd64.deb
 d0ddc5ad9608aed9ad36057623f11b0ecfe2de45 15872 dnsmasq_2.72-1_all.deb
Checksums-Sha256:
 c9cab05b79788e4e7e164994cdf82f08d347e240cb14a3e3b34f3574cbc30958 1837 
dnsmasq_2.72-1.dsc
 2a122c7eea57ed8fbd63af5de03d9b6f03eaf730dab5dd984adb98ecd8487b37 657779 
dnsmasq_2.72.orig.tar.gz
 c76a1bf62f037df0eb41501b48dda6a1ceda7f3bd012a28ca140a9ab57516720 21483 
dnsmasq_2.72-1.diff.gz
 cb2ea395ca1c312e6e120c02794b14642dbb979217e95559b5de5e49a8c7a7c4 402256 
dnsmasq-base_2.72-1_amd64.deb
 fab83e959ab39e7f5bc90658e04e68673b6e2f7a227e048ced70d746d51145cc 18652 
dnsmasq-utils_2.72-1_amd64.deb
 8467e8cc358f46555ad0cf97993a3b834725130dcbc38dd77cafa6497a0d2885 15872 
dnsmasq_2.72-1_all.deb
Files:
 74f774d104c9417e28fa382542bab2f6 402256 net optional 
dnsmasq-base_2.72-1_amd64.deb
 3b7aa91e58c4291dfb3ddf001a631856 18652 net optional 
dnsmasq-utils_2.72-1_amd64.deb
 59e2bf3ef4aee2041b19ce6a49702e1d 15872 net optional dnsmasq_2.72-1_all.deb
 dbb05543a5f5dde79af5a3531245a1e8 1837 net optional dnsmasq_2.72-1.dsc
 c84e6544bb2e749e00a017c306722ff0 657779 net optional dnsmasq_2.72.orig.tar.gz
 5c95dfe6e82bfd2d53d2c84254c692df 21483 net optional dnsmasq_2.72-1.diff.gz

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1

iQIcBAEBCAAGBQJUIqyMAAoJEBXN2mrhkTWiNw8QAIfkoKGWOsVu9W8VJ0bVt4US
G12DpuGd+/AuAyzEzb3H1nZvn+TDJxsbb0Rji+NdxqnoUX12TmUlxAo1/AcDL920
tHEBFt5+LDfxTF7aY+Q5m7mwkBYeRd4MAJJmwAWaoV4kQlXUoFtCqplAm9uCC0xc
BtcgKTGe7ncKU2oDTXNzjJIJIb9I0PNj+CAad62ICSyHbPeS6GsNUD3okfNg/Rse
g7vWtVexrkI6YN7DpPVshy7GkFEOiF1wET60CGSiZH0OLUQJVsb5FOqnZ4KwalYi
jiKmbB9C07aKDbO22mOmJRmT/mY28nHztPeHVhyCP/nsk2IY5xSv6Ru9ff/bVBIJ
XA8vol1JD2vZpKborLSYBHiiTXt7737swBcT8sDOibJUACjYNqgFQiVGkHDVyz0e
9l0wWLtdm5Xv+LTxmosz6tvkzCmk7OKnMXHboz5qSlJewINitvK5ojF3qLbU7rPZ
j74QnWhIRx4utOUjbCCzjDPn7Gps+B36lsYngeVu4MPYSS7ky1IPgZYr700/kzVy
5XNSUAxlX46OQYHAI/X39Q1z1UUdFpfgGNFeSxjz5c3uCKVjuYvu3FJwCpnbjevb
1sNjwESxtqxscakONUWkjlvXb1c3vBQeZQYYgpQleiiuUIA1AQEHGVrHSHrl/PDJ
ZM3QS2OIzc26tUTSioJl
=auYy
-----END PGP SIGNATURE-----

--- End Message ---

Bug#761654: marked as done (dnsmasq: The AD flag is set in every cached answer.)

Reply via email to