[Opendnssec-user] Playing with 2.0.1
Mark Elkins
mje at posix.co.za
Tue Aug 30 16:05:38 UTC 2016
On 30/08/2016 17:20, Yuri Schaeffer wrote:
> Hi Mark,
>
>> And in the creation of NSEC3 records, the "next link of the chain"
>> (which is currently in upper case) means the "chained-to" record will
>> also be in Upper Case???
>
> I'm unsure what you mean. In what case are the hashes published in
> uppercase by ODS?
NSEC3 records chain from one to the next. In the NSEC3 record, the 9th
field is the name of the next link. Its always in upper case (ODS & BIND).
In ODS, the "Chained to" record is currently in lower case. I think it
should be in upper case. In BIND - the "chained to" record is in upper
case - ie "preserving" the Case.
If one is writing checking tools that work for both BIND and ODS, then
this would be a difference to code around because of the way that the
two signers work.
I'm not saying BIND is better but they are regarded as "standard".
Its a small change but would provide conformance and that is what I am
looking for.
> The point of the proposed patch is to make sure the published records in
> the signed zone will be unmodified from the input zone. Not for any
> technical reason but merely for 'least surprises'. Any records generated
> by ODS itself do not need to fall under this policy.
>
> //Yuri
>
>> eg...
>>
>> 13bu1nqrimn19lbkq6cvqume6thbsebr.web.za. 300 IN NSEC3 1 1 5
>> A021CAFA36A752AC 1ALJ0RMHHSFU8I2RQ6HB0T74JE03MGC1 MX RRSIG
>>
>> ||
>> \||/ <-- a down pointing arrow
>> \/
>>
>> 1alj0rmhhsfu8i2rq6hb0t74je03mgc1.web.za. 300 IN NSEC3 1 1 5
>> A021CAFA36A752AC 1NRSLBF0FHCATO1CB7E13OP7DHHVPAUT MX RRSIG
>>
>> So in the next release, the line above will be written as:
>>
>> 1ALJ0RMHHSFU8I2RQ6HB0T74JE03MGC1.web.za. 300 IN NSEC3 1 1 5
>> A021CAFA36A752AC 1NRSLBF0FHCATO1CB7E13OP7DHHVPAUT MX RRSIG
>>
>> Please.
>>
>>
>>
>>
>> On 30/08/2016 16:41, Yuri Schaeffer wrote:
>>> On 30-08-16 16:10, Mark Elkins wrote:
>>>> Much to my annoyance, OpenDNSSEC converts to lower case the Left Hand
>>>> side of all zones (the name part, before the TTL). Can this modification
>>>> of data be switched off?
>>>
>>> Agreed and the next release will have a fix for this.
>>>
>>> https://github.com/opendnssec/opendnssec/pull/479/commits/9094d7623335c78ff18fdc606e30efdc340646b9
>>>
>>> There is no run-time option for this.
>>>
>>> //Yuri
>>
>>
>>
>>
>> _______________________________________________
>> Opendnssec-user mailing list
>> Opendnssec-user at lists.opendnssec.org
>> https://lists.opendnssec.org/mailman/listinfo/opendnssec-user
>>
>
>
>
> _______________________________________________
> Opendnssec-user mailing list
> Opendnssec-user at lists.opendnssec.org
> https://lists.opendnssec.org/mailman/listinfo/opendnssec-user
>
--
Mark James ELKINS - Posix Systems - (South) Africa
mje at posix.co.za Tel: +27.128070590 Cell: +27.826010496
For fast, reliable, low cost Internet in ZA: https://ftth.posix.co.za
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 4230 bytes
Desc: S/MIME Cryptographic Signature
URL: <http://lists.opendnssec.org/pipermail/opendnssec-user/attachments/20160830/9e1772e6/attachment.bin>
More information about the Opendnssec-user
mailing list