[Opendnssec-develop] NSEC next_domain in canonical form
rickard.bellgrim at iis.se
Thu Mar 25 02:01:36 UTC 2010
So, when dnsruby calculates the signature of an RRSet, it uses the canonical form of the NSEC record. In this case, that means changing "C.in-add-servers.arpa" to "c.in-addr-servers.arpa", just like it changes the "B.in-addr-servers.arpa" to "b.in-addr-servers.arpa". This gives it a different message digest to ldns (which downcases the "B", but keeps the "C" upcase).
So, I was wondering if it was just me who took a different interpretation away from the spec, or whether this should be clarified somewhere. I was also hoping that somebody could give me a definitive answer on what the right thing to do with an NSEC next_domain is. It does seem odd to me that this is not canonicalised - after all, it already obeys the "no compression" rule for canonical names...
[Side question - if I'm wrong, then what happens if the domain name in the next_domain field is spelled in several different mixed-case ways in the zone? Which one makes the NSEC record?]
Matthijs, what do you say?
-------------- next part --------------
An HTML attachment was scrubbed...
More information about the Opendnssec-develop