[Opendnssec-develop] Converting unsigned data to lowercase

Rickard Bellgrim rickard at opendnssec.org
Fri May 27 06:21:35 UTC 2011


I cannot remember if we modified the 1.0 code in trunk or if .SE had
an internal patch. But I think the solution was to canonicalize the
data just before signing and not when data was written to the internal
storage. Keeping in mind that sorting should ignore the character
case.

RFC4343 also mention that you should not modify the character case of
the input data:

******
4.2.  DNS Input Case Preservation

   Originally, DNS data came from an ASCII Master File as defined in
   [STD13] or a zone transfer.  DNS Dynamic update and incremental zone
   transfers [RFC1995] have been added as a source of DNS data [RFC2136,
   RFC3007].  When a node in the DNS name tree is created by any of such
   inputs, no case conversion is done.  Thus, the case of ASCII labels
   is preserved if they are for nodes being created.
******


On Thu, May 26, 2011 at 4:03 PM, Matthijs Mekking <matthijs at nlnetlabs.nl> wrote:
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
>
> I remember that one of the possible solutions was to store the input
> data next to the ldns rr so-to-say. Use the canonicalized ldns rr for
> creating signatures and use the untouched input data for writing the
> signed zone file.
>
> This has not been done yet. It was I believe low priority. Plus, it
> pushes even more on our memory usage.
>
> The other option was to fix your script:). Domain name comparison should
> be case insensitive.
>
> Best regards,
>
> Matthijs
>
>
> On 05/26/2011 03:49 PM, Rickard Bellgrim wrote:
>> Hi
>>
>> Currently I am setting up v1.3.0 in our test bed, but .SEs test
>> scripts will not accept the signed zone because all of the uppercase
>> data has been converted to lowercase. It is around 500 RR where the
>> domain name is written in uppercase. (This is some old data in the
>> database, new data will be saved in lowercase)
>>
>> I remember that we had this discussion more than a year ago and we
>> ended up changing the behavior of the Signer Engine to not touch the
>> data and only do the conversion on the input for the signatures.
>>
>> What is our opinion this time?
>>
>> // Rickard
>> _______________________________________________
>> Opendnssec-develop mailing list
>> Opendnssec-develop at lists.opendnssec.org
>> https://lists.opendnssec.org/mailman/listinfo/opendnssec-develop
>
> -----BEGIN PGP SIGNATURE-----
> Version: GnuPG v1.4.11 (GNU/Linux)
> Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/
>
> iQEcBAEBAgAGBQJN3l2qAAoJEA8yVCPsQCW5Nk8IALsrwWk78hQCf42hjl1BVoFe
> wPQpETO735NgrlW2KoAPAbGS3/Q25WIp50bpP2WWAZQJdcfAcIO0c+OgLRpPjAha
> XKY1hnnbUqgU90MwOJlktz45Xb8+5JZC9/Mia8AlMR/2ERFkY1VReXTQuioB9slT
> OVBD7magkuLxe3OHITMoF3jb7o96Sfb8aD5tUAFHKBHYqoG4MPZMATlTJj80Fzpg
> sLSrtQ7uU2rpDJfbm3vHeShnfUpnLOtMumAUkKlaqq0XKZvyqoCC+gz1sR+Fkd9V
> M0jbfXxr73Nakdp0VALU2mePN2eIc1eeexo3xQYFsHIbMOKEN7iZOSjlP7SFZo0=
> =D8kK
> -----END PGP SIGNATURE-----
>



More information about the Opendnssec-develop mailing list