Public bug reported:
When using peers_certfile dnssec for racoon, it makes CERT RR lookup to fetch
cert from DNS.
If CERT RR is protected by DNSSEC (as it's supposed to be) resolver will (may?)
return RRSIG record to allow RR validity checks in app.
Current implementation of getcertsbyname (with patches) already sets NSEC
options and checks authentity flag, however it bails on RRSIG.
Proposed patch simply makes function to continue on non-CERT RRs since there's
no current framework to use RRSIG validation. With this approach it will
iterate through entire reply in attempt to fish CERT RRs from an answer.
** Affects: ipsec-tools (Ubuntu)
Importance: Undecided
Status: New
** Tags: ipsec racoon
** Patch added: "getcertsbyname-skip-rrsig.patch"
https://bugs.launchpad.net/bugs/1211053/+attachment/3768345/+files/getcertsbyname-skip-rrsig.patch
--
You received this bug notification because you are a member of Ubuntu
Server Team, which is subscribed to ipsec-tools in Ubuntu.
https://bugs.launchpad.net/bugs/1211053
Title:
racoon stops on RRSIG in getcertsbyname
To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/ipsec-tools/+bug/1211053/+subscriptions
--
Ubuntu-server-bugs mailing list
Ubuntu-server-bugs@lists.ubuntu.com
Modify settings or unsubscribe at:
https://lists.ubuntu.com/mailman/listinfo/ubuntu-server-bugs
