[Opendnssec-develop] NSEC next_domain in canonical form

Rickard Bellgrim rickard.bellgrim at iis.se
Thu Mar 25 02:01:36 UTC 2010

So, when dnsruby calculates the signature of an RRSet, it uses the canonical form of the NSEC record. In this case, that means changing "C.in-add-servers.arpa" to "c.in-addr-servers.arpa", just like it changes the "B.in-addr-servers.arpa" to "b.in-addr-servers.arpa". This gives it a different message digest to ldns (which downcases the "B", but keeps the "C" upcase).

So, I was wondering if it was just me who took a different interpretation away from the spec, or whether this should be clarified somewhere. I was also hoping that somebody could give me a definitive answer on what the right thing to do with an NSEC next_domain is. It does seem odd to me that this is not canonicalised - after all, it already obeys the "no compression" rule for canonical names...

[Side question - if I'm wrong, then what happens if the domain name in the next_domain field is spelled in several different mixed-case ways in the zone? Which one makes the NSEC record?]

Matthijs, what do you say?

// Rickard
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.opendnssec.org/pipermail/opendnssec-develop/attachments/20100325/886f688b/attachment.htm>

More information about the Opendnssec-develop mailing list