<font size=2 face="sans-serif">Sorry - resending response due to email
server issues...</font>
<br>
<br><tt><font size=2>opendnssec-develop-bounces@lists.opendnssec.org wrote
on 24/03/2010 09:44:28:<br>
<br>
> Alexd@nominet.org.uk </font></tt>
<br><tt><font size=2>> Sent by: opendnssec-develop-bounces@lists.opendnssec.org<br>
> </font></tt>
<br><tt><font size=2>> 24/03/2010 09:44</font></tt>
<br><tt><font size=2>> <br>
> To</font></tt>
<br><tt><font size=2>> <br>
> Opendnssec-develop@lists.opendnssec.org</font></tt>
<br><tt><font size=2>> <br>
> cc</font></tt>
<br><tt><font size=2>> <br>
> apt@nominet.org.uk</font></tt>
<br><tt><font size=2>> <br>
> Subject</font></tt>
<br><tt><font size=2>> <br>
> [Opendnssec-develop] NSEC next_domain in canonical form</font></tt>
<br><tt><font size=2>> <br>
> Hi - <br>
> <br>
> I've been looking at the problems reported by Dave Knight to <br>
> OpenDNSSEC, where a zone with : <br>
> <br>
> B.in-addr-servers.arpa. 3600
IN
<br>
> NSEC C.in-addr-servers.arpa.
A AAAA RRSIG NSEC <br>
> <br>
> will not verify correctly in the auditor (it does with bind and ldns).
<br>
> <br>
> The problem is with the capital "C" in the NSEC record.
RFC 4034 states : <br>
> <br>
> The Next Domain field contains the next owner name (in the canonical<br>
> ordering of the zone) that has authoritative data or contains
a<br>
> delegation point NS RRset <br>
> <br>
> The canonical ordering section then states : <br>
> <br>
> For the purposes of DNS security, owner names are ordered by treating<br>
> individual labels as unsigned left-justified octet strings.
The<br>
> absence of a octet sorts before a zero value octet, and uppercase<br>
> US-ASCII letters are treated as if they were lowercase US-ASCII<br>
> letters.<br>
> <br>
> In dnsruby, I had taken this to mean that the NSEC record should <br>
> contain the canonical form of the next domain in the canonically sorted
zone.<br>
> <br>
> So, when dnsruby calculates the signature of an RRSet, it uses the
<br>
> canonical form of the NSEC record. In this case, that means changing<br>
> "C.in-add-servers.arpa" to "c.in-addr-servers.arpa",
just like it <br>
> changes the "B.in-addr-servers.arpa" to "b.in-addr-servers.arpa".
<br>
> This gives it a different message digest to ldns (which downcases
<br>
> the "B", but keeps the "C" upcase). <br>
> <br>
> So, I was wondering if it was just me who took a different <br>
> interpretation away from the spec, or whether this should be <br>
> clarified somewhere. I was also hoping that somebody could give me
a<br>
> definitive answer on what the right thing to do with an NSEC <br>
> next_domain is. It does seem odd to me that this is not <br>
> canonicalised - after all, it already obeys the "no compression"
<br>
> rule for canonical names... <br>
In fact, RFC4034 says :</font></tt><font size=3> <br>
</font><tt><font size=3><br>
6.2. Canonical RR Form<br>
<br>
For the purposes of DNS security, the canonical form of an RR is
the<br>
wire format of the RR where:<br>
<br>
1. every domain name in the RR is fully expanded (no DNS name<br>
compression) and fully qualified;<br>
<br>
2. all uppercase US-ASCII letters in the owner name of the
RR are<br>
replaced by the corresponding lowercase US-ASCII letters;<br>
<br>
3. if the type of the RR is NS, MD, MF, CNAME, SOA, MB, MG,
MR, PTR,<br>
HINFO, MINFO, MX, HINFO, RP, AFSDB, RT, SIG, PX, NXT,
NAPTR, KX,<br>
SRV, DNAME, A6, RRSIG, or NSEC, all uppercase US-ASCII
letters in<br>
the DNS names contained within the RDATA are replaced
by the<br>
corresponding lowercase US-ASCII letters;</font></tt><font size=3><br>
</font><tt><font size=2><br>
So it would seem that Dnsruby is doing the right thing, and canonicalising
the DNS name contained within the rdata of the NSEC record.</font></tt><font size=3>
<br>
</font><tt><font size=2><br>
Does this mean that ldns should be fixed to do the same thing - especially
when it comes to creating NSEC records from the zone?</font></tt><font size=3>
<br>
</font><tt><font size=2><br>
Thanks,</font></tt><font size=3> <br>
<br>
</font><tt><font size=2><br>
Alex.</font></tt><font size=3> </font>