[Opendnssec-develop] NSEC next_domain in canonical form

Alexd at nominet.org.uk Alexd at nominet.org.uk
Thu Mar 25 07:51:31 UTC 2010

opendnssec-develop-bounces at lists.opendnssec.org wrote on 25/03/2010 

> Rickard Bellgrim <rickard.bellgrim at iis.se> 
> Sent by: opendnssec-develop-bounces at lists.opendnssec.org
> 25/03/2010 02:01
> To
> "<Alexd at nominet.org.uk> <Alexd at nominet.org.uk>" <Alexd at nominet.org.uk>
> cc
> "Opendnssec-develop at lists.opendnssec.org" <Opendnssec-
> develop at lists.opendnssec.org>, "apt at nominet.org.uk" <apt at nominet.org.uk>
> Subject
> Re: [Opendnssec-develop] NSEC next_domain in canonical form
> So, when dnsruby calculates the signature of an RRSet, it uses the 
> canonical form of the NSEC record. In this case, that means changing
> "C.in-add-servers.arpa" to "c.in-addr-servers.arpa", just like it 
> changes the "B.in-addr-servers.arpa" to "b.in-addr-servers.arpa". 
> This gives it a different message digest to ldns (which downcases 
> the "B", but keeps the "C" upcase). 
> So, I was wondering if it was just me who took a different 
> interpretation away from the spec, or whether this should be 
> clarified somewhere. I was also hoping that somebody could give me a
> definitive answer on what the right thing to do with an NSEC 
> next_domain is. It does seem odd to me that this is not 
> canonicalised - after all, it already obeys the "no compression" 
> rule for canonical names... 

I think ldns has signed this wrong (and also that BIND verifies it wrong). 
RFC 4034 states :

6.2. Canonical RR Form

For the purposes of DNS security, the canonical form of an RR is the
wire format of the RR where:

1. every domain name in the RR is fully expanded (no DNS name
compression) and fully qualified;

2. all uppercase US-ASCII letters in the owner name of the RR are
replaced by the corresponding lowercase US-ASCII letters;

3. if the type of the RR is NS, MD, MF, CNAME, SOA, MB, MG, MR, PTR,
SRV, DNAME, A6, RRSIG, or NSEC, all uppercase US-ASCII letters in
the DNS names contained within the RDATA are replaced by the
corresponding lowercase US-ASCII letters;

which hasn't been the case here.

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.opendnssec.org/pipermail/opendnssec-develop/attachments/20100325/4be4a1dd/attachment.htm>

More information about the Opendnssec-develop mailing list