[Opendnssec-develop] NSEC next_domain in canonical form
Alexd at nominet.org.uk
Alexd at nominet.org.uk
Thu Mar 25 07:51:31 UTC 2010
opendnssec-develop-bounces at lists.opendnssec.org wrote on 25/03/2010
02:01:36:
> Rickard Bellgrim <rickard.bellgrim at iis.se>
> Sent by: opendnssec-develop-bounces at lists.opendnssec.org
>
> 25/03/2010 02:01
>
> To
>
> "<Alexd at nominet.org.uk> <Alexd at nominet.org.uk>" <Alexd at nominet.org.uk>
>
> cc
>
> "Opendnssec-develop at lists.opendnssec.org" <Opendnssec-
> develop at lists.opendnssec.org>, "apt at nominet.org.uk" <apt at nominet.org.uk>
>
> Subject
>
> Re: [Opendnssec-develop] NSEC next_domain in canonical form
>
> So, when dnsruby calculates the signature of an RRSet, it uses the
> canonical form of the NSEC record. In this case, that means changing
> "C.in-add-servers.arpa" to "c.in-addr-servers.arpa", just like it
> changes the "B.in-addr-servers.arpa" to "b.in-addr-servers.arpa".
> This gives it a different message digest to ldns (which downcases
> the "B", but keeps the "C" upcase).
>
> So, I was wondering if it was just me who took a different
> interpretation away from the spec, or whether this should be
> clarified somewhere. I was also hoping that somebody could give me a
> definitive answer on what the right thing to do with an NSEC
> next_domain is. It does seem odd to me that this is not
> canonicalised - after all, it already obeys the "no compression"
> rule for canonical names...
I think ldns has signed this wrong (and also that BIND verifies it wrong).
RFC 4034 states :
6.2. Canonical RR Form
For the purposes of DNS security, the canonical form of an RR is the
wire format of the RR where:
1. every domain name in the RR is fully expanded (no DNS name
compression) and fully qualified;
2. all uppercase US-ASCII letters in the owner name of the RR are
replaced by the corresponding lowercase US-ASCII letters;
3. if the type of the RR is NS, MD, MF, CNAME, SOA, MB, MG, MR, PTR,
HINFO, MINFO, MX, HINFO, RP, AFSDB, RT, SIG, PX, NXT, NAPTR, KX,
SRV, DNAME, A6, RRSIG, or NSEC, all uppercase US-ASCII letters in
the DNS names contained within the RDATA are replaced by the
corresponding lowercase US-ASCII letters;
which hasn't been the case here.
Alex.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.opendnssec.org/pipermail/opendnssec-develop/attachments/20100325/4be4a1dd/attachment.htm>
More information about the Opendnssec-develop
mailing list