[Bug 1211053] [NEW] racoon stops on RRSIG in getcertsbyname
ruff
1211053 at bugs.launchpad.net
Sun Aug 11 19:33:54 UTC 2013
Public bug reported:
When using peers_certfile dnssec for racoon, it makes CERT RR lookup to fetch cert from DNS.
If CERT RR is protected by DNSSEC (as it's supposed to be) resolver will (may?) return RRSIG record to allow RR validity checks in app.
Current implementation of getcertsbyname (with patches) already sets NSEC options and checks authentity flag, however it bails on RRSIG.
Proposed patch simply makes function to continue on non-CERT RRs since there's no current framework to use RRSIG validation. With this approach it will iterate through entire reply in attempt to fish CERT RRs from an answer.
** Affects: ipsec-tools (Ubuntu)
Importance: Undecided
Status: New
** Tags: ipsec racoon
** Patch added: "getcertsbyname-skip-rrsig.patch"
https://bugs.launchpad.net/bugs/1211053/+attachment/3768345/+files/getcertsbyname-skip-rrsig.patch
--
You received this bug notification because you are a member of Ubuntu
Server Team, which is subscribed to ipsec-tools in Ubuntu.
https://bugs.launchpad.net/bugs/1211053
Title:
racoon stops on RRSIG in getcertsbyname
To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/ipsec-tools/+bug/1211053/+subscriptions
More information about the Ubuntu-server-bugs
mailing list