[Opendnssec-develop] Converting unsigned data to lowercase

Rickard Bellgrim rickard at opendnssec.org
Mon May 30 07:22:35 UTC 2011


.SE will in the June release remove the uppercase data. This will thus
not be a problem.

On Fri, May 27, 2011 at 8:21 AM, Rickard Bellgrim
<rickard at opendnssec.org> wrote:
> I cannot remember if we modified the 1.0 code in trunk or if .SE had
> an internal patch. But I think the solution was to canonicalize the
> data just before signing and not when data was written to the internal
> storage. Keeping in mind that sorting should ignore the character
> case.
>
> RFC4343 also mention that you should not modify the character case of
> the input data:
>
> ******
> 4.2.  DNS Input Case Preservation
>
>   Originally, DNS data came from an ASCII Master File as defined in
>   [STD13] or a zone transfer.  DNS Dynamic update and incremental zone
>   transfers [RFC1995] have been added as a source of DNS data [RFC2136,
>   RFC3007].  When a node in the DNS name tree is created by any of such
>   inputs, no case conversion is done.  Thus, the case of ASCII labels
>   is preserved if they are for nodes being created.
> ******
>
>
> On Thu, May 26, 2011 at 4:03 PM, Matthijs Mekking <matthijs at nlnetlabs.nl> wrote:
>> -----BEGIN PGP SIGNED MESSAGE-----
>> Hash: SHA1
>>
>> I remember that one of the possible solutions was to store the input
>> data next to the ldns rr so-to-say. Use the canonicalized ldns rr for
>> creating signatures and use the untouched input data for writing the
>> signed zone file.
>>
>> This has not been done yet. It was I believe low priority. Plus, it
>> pushes even more on our memory usage.
>>
>> The other option was to fix your script:). Domain name comparison should
>> be case insensitive.
>>
>> Best regards,
>>
>> Matthijs
>>
>>
>> On 05/26/2011 03:49 PM, Rickard Bellgrim wrote:
>>> Hi
>>>
>>> Currently I am setting up v1.3.0 in our test bed, but .SEs test
>>> scripts will not accept the signed zone because all of the uppercase
>>> data has been converted to lowercase. It is around 500 RR where the
>>> domain name is written in uppercase. (This is some old data in the
>>> database, new data will be saved in lowercase)
>>>
>>> I remember that we had this discussion more than a year ago and we
>>> ended up changing the behavior of the Signer Engine to not touch the
>>> data and only do the conversion on the input for the signatures.
>>>
>>> What is our opinion this time?
>>>
>>> // Rickard
>>> _______________________________________________
>>> Opendnssec-develop mailing list
>>> Opendnssec-develop at lists.opendnssec.org
>>> https://lists.opendnssec.org/mailman/listinfo/opendnssec-develop
>>
>> -----BEGIN PGP SIGNATURE-----
>> Version: GnuPG v1.4.11 (GNU/Linux)
>> Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/
>>
>> iQEcBAEBAgAGBQJN3l2qAAoJEA8yVCPsQCW5Nk8IALsrwWk78hQCf42hjl1BVoFe
>> wPQpETO735NgrlW2KoAPAbGS3/Q25WIp50bpP2WWAZQJdcfAcIO0c+OgLRpPjAha
>> XKY1hnnbUqgU90MwOJlktz45Xb8+5JZC9/Mia8AlMR/2ERFkY1VReXTQuioB9slT
>> OVBD7magkuLxe3OHITMoF3jb7o96Sfb8aD5tUAFHKBHYqoG4MPZMATlTJj80Fzpg
>> sLSrtQ7uU2rpDJfbm3vHeShnfUpnLOtMumAUkKlaqq0XKZvyqoCC+gz1sR+Fkd9V
>> M0jbfXxr73Nakdp0VALU2mePN2eIc1eeexo3xQYFsHIbMOKEN7iZOSjlP7SFZo0=
>> =D8kK
>> -----END PGP SIGNATURE-----
>>
>



More information about the Opendnssec-develop mailing list