<br><tt><font size=2>opendnssec-develop-bounces@lists.opendnssec.org wrote
on 25/03/2010 02:01:36:<br>
<br>
> Rickard Bellgrim <rickard.bellgrim@iis.se> </font></tt>
<br><tt><font size=2>> Sent by: opendnssec-develop-bounces@lists.opendnssec.org<br>
> </font></tt>
<br><tt><font size=2>> 25/03/2010 02:01</font></tt>
<br><tt><font size=2>> <br>
> To</font></tt>
<br><tt><font size=2>> <br>
> "<Alexd@nominet.org.uk> <Alexd@nominet.org.uk>"
<Alexd@nominet.org.uk></font></tt>
<br><tt><font size=2>> <br>
> cc</font></tt>
<br><tt><font size=2>> <br>
> "Opendnssec-develop@lists.opendnssec.org" <Opendnssec-<br>
> develop@lists.opendnssec.org>, "apt@nominet.org.uk" <apt@nominet.org.uk></font></tt>
<br><tt><font size=2>> <br>
> Subject</font></tt>
<br><tt><font size=2>> <br>
> Re: [Opendnssec-develop] NSEC next_domain in canonical form</font></tt>
<br><tt><font size=2>> <br>
> So, when dnsruby calculates the signature of an RRSet, it uses the
<br>
> canonical form of the NSEC record. In this case, that means changing<br>
> "C.in-add-servers.arpa" to "c.in-addr-servers.arpa",
just like it <br>
> changes the "B.in-addr-servers.arpa" to "b.in-addr-servers.arpa".
<br>
> This gives it a different message digest to ldns (which downcases
<br>
> the "B", but keeps the "C" upcase). <br>
> <br>
> So, I was wondering if it was just me who took a different <br>
> interpretation away from the spec, or whether this should be <br>
> clarified somewhere. I was also hoping that somebody could give me
a<br>
> definitive answer on what the right thing to do with an NSEC <br>
> next_domain is. It does seem odd to me that this is not <br>
> canonicalised - after all, it already obeys the "no compression"
<br>
> rule for canonical names... <br>
</font></tt>
<br><font size=3>I think ldns has signed this wrong (and also that BIND
verifies it wrong). RFC 4034 states :<br>
<br>
6.2. Canonical RR Form<br>
<br>
For the purposes of DNS security, the canonical form of an RR is the<br>
wire format of the RR where:<br>
<br>
1. every domain name in the RR is fully expanded (no DNS name<br>
compression) and fully qualified;<br>
<br>
2. all uppercase US-ASCII letters in the owner name of the RR are<br>
replaced by the corresponding lowercase US-ASCII letters;<br>
<br>
3. if the type of the RR is NS, MD, MF, CNAME, SOA, MB, MG, MR, PTR,<br>
HINFO, MINFO, MX, HINFO, RP, AFSDB, RT, SIG, PX, NXT, NAPTR, KX,<br>
SRV, DNAME, A6, RRSIG, or NSEC, all uppercase US-ASCII letters in<br>
the DNS names contained within the RDATA are replaced by the<br>
corresponding lowercase US-ASCII letters;<br>
<br>
<br>
which hasn't been the case here</font><tt><font size=2>.</font></tt>
<br>
<br>
<br><tt><font size=2>Alex.</font></tt>