-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256
On 18/12/15 13:22, Michał Kępień wrote: > A useful test subject for these issues is the caint.su zone, which > uses two keys, each using a different algorithm (RSA and ECC-GOST) > and also provides three separate hashes of each of those keys in > its parent zone. Using this zone as an example for the reasoning > above, it shouldn't be considered insecure just because we don't > understand GOST hashes and/or signing. > I just checked in code that behaves well in this case. This is making real progress: thanks for your assistance. >> That's a good point. The problem is that Nettle supports >> introspection for hash functions, but not public-key signatures. >> algo_digest_name() uses the introspection, but it doesn't tell >> you that algorithms 13 and 14 are not available because ECC is >> not available. Hence I added the #ifdef NO_NETTLE_ECC, which >> should encompass 12. Even that's not right, because 12 needs >> ECC-GOST, which isn't implemented. The canonical place for this >> information is actually verify(): it knows which algorithms are >> OK. I've fixed the code to do that. A digest is supported if >> it's in the switch in algo_digest_name() AND supported by the >> current Nettle. A signature algo is supported if it's in the >> switch in verify_func(). That has to be kept up-to-date with >> Nettle's capabilities. > > Thanks, as I already stated above, this fixed quite some of the > problems I observed. > I extended this to include a function defining known NSEC3 hash functions. There's only one at the moment, but now we're prepared! (and in the case that a validator doesn't support an NSEC3 hash function, we're told by RFC 5155 8.1 to return BOGUS. Cheers, Simon. -----BEGIN PGP SIGNATURE----- Version: GnuPG v2.0.22 (GNU/Linux) iQIcBAEBCAAGBQJWdyA8AAoJEBXN2mrhkTWim2kP/R11VavCpYX8e++BlW5UslzQ QUrEMoQTXterMBE/rExnWdlkcpdsvdA+LjA6OhfbdDEgvoAljzgL9L7eAk3aA6M/ yjUcuebcqiNPT/tRcbfuJUSwLZZuh57RQqNVMkmUvAhdgc02BTgzxq9i2vUFrkLT qnO9RoHoOwDIySmUbtphUWTR1MpE9OBZUjJnL7UFGy17S5WYf5+I30t173L42xwY G09YGFAthw9JQxuBV6n2w5U9C50X8A/5wBDcxCv2SVzG6g8fUxjelgmlRk4rBnxi WaimNHZCLSGbyVdRntsBjAzFhzxTod3hcCh4PFgZLJgmorA8e8wzXFvrX4mtjuwA Bz2c/+qX9jFhXe6oOdSvGgUKV8ViOcvSuYDmj3KR5VmPenwYJ17G2uNde/mXEVw2 61hpb7E3gRYFlVKWFdEk60NYPuYOF3yLt1Y7EQzZ9WbU65QaQdP55z5pX4Br2KDs RbQK3D0ntn40eFBHZS3ieo4G0WAYEhaNw+v8qsFtfls5zKlVFtErF1wAFTUBe7kp AdAO5yNCNbSKU7w3ULUFpljuuEe+4wt9w4Qu2unc4yNLji6v6oFNJ2q1U/bkz7I3 JCHoF7iyznrSdttQjpgfgrv2QZr1K8iizyBf/xeak+BmuL1girasYwEBzr4Uug4e QNbFh0rTIaA0CwUUfbcj =WJCY -----END PGP SIGNATURE----- _______________________________________________ Dnsmasq-discuss mailing list Dnsmasq-discuss@lists.thekelleys.org.uk http://lists.thekelleys.org.uk/mailman/listinfo/dnsmasq-discuss