[Opendnssec-develop] NSEC next_domain in canonical form

Wed Mar 24 11:21:55 UTC 2010

Sorry - resending response due to email server issues...

opendnssec-develop-bounces at lists.opendnssec.org wrote on 24/03/2010 
09:44:28:

> Alexd at nominet.org.uk 
> Sent by: opendnssec-develop-bounces at lists.opendnssec.org
> 
> 24/03/2010 09:44
> 
> To
> 
> Opendnssec-develop at lists.opendnssec.org
> 
> cc
> 
> apt at nominet.org.uk
> 
> Subject
> 
> [Opendnssec-develop] NSEC next_domain in canonical form
> 
> Hi - 
> 
> I've been looking at the problems reported by Dave Knight to 
> OpenDNSSEC, where a zone with : 
> 
> B.in-addr-servers.arpa.          3600            IN 
> NSEC            C.in-addr-servers.arpa. A AAAA RRSIG NSEC 
> 
> will not verify correctly in the auditor (it does with bind and ldns). 
> 
> The problem is with the capital "C" in the NSEC record. RFC 4034 states 
: 
> 
> The Next Domain field contains the next owner name (in the canonical
>   ordering of the zone) that has authoritative data or contains a
>   delegation point NS RRset 
> 
> The canonical ordering section then states : 
> 
> For the purposes of DNS security, owner names are ordered by treating
>   individual labels as unsigned left-justified octet strings.  The
>   absence of a octet sorts before a zero value octet, and uppercase
>   US-ASCII letters are treated as if they were lowercase US-ASCII
>   letters.
> 
> In dnsruby, I had taken this to mean that the NSEC record should 
> contain the canonical form of the next domain in the canonically sorted 
zone.
> 
> So, when dnsruby calculates the signature of an RRSet, it uses the 
> canonical form of the NSEC record. In this case, that means changing
> "C.in-add-servers.arpa" to "c.in-addr-servers.arpa", just like it 
> changes the "B.in-addr-servers.arpa" to "b.in-addr-servers.arpa". 
> This gives it a different message digest to ldns (which downcases 
> the "B", but keeps the "C" upcase). 
> 
> So, I was wondering if it was just me who took a different 
> interpretation away from the spec, or whether this should be 
> clarified somewhere. I was also hoping that somebody could give me a
> definitive answer on what the right thing to do with an NSEC 
> next_domain is. It does seem odd to me that this is not 
> canonicalised - after all, it already obeys the "no compression" 
> rule for canonical names... 
In fact, RFC4034 says : 

6.2.  Canonical RR Form

  For the purposes of DNS security, the canonical form of an RR is the
  wire format of the RR where:

  1.  every domain name in the RR is fully expanded (no DNS name
      compression) and fully qualified;

  2.  all uppercase US-ASCII letters in the owner name of the RR are
      replaced by the corresponding lowercase US-ASCII letters;

  3.  if the type of the RR is NS, MD, MF, CNAME, SOA, MB, MG, MR, PTR,
      HINFO, MINFO, MX, HINFO, RP, AFSDB, RT, SIG, PX, NXT, NAPTR, KX,
      SRV, DNAME, A6, RRSIG, or NSEC, all uppercase US-ASCII letters in
      the DNS names contained within the RDATA are replaced by the
      corresponding lowercase US-ASCII letters;

So it would seem that Dnsruby is doing the right thing, and canonicalising 
the DNS name contained within the rdata of the NSEC record. 

Does this mean that ldns should be fixed to do the same thing - especially 
when it comes to creating NSEC records from the zone? 

Thanks, 

Alex. 
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.opendnssec.org/pipermail/opendnssec-develop/attachments/20100324/65a0141e/attachment.htm>