IETF Logo Mail Archive

Re: [dnsext] Related to section 5.1 of dnssec-bis-updates (-14)

Mohan Parthasarathy <suruti94@gmail.com> Fri, 13 January 2012 18:33 UTC

Return-Path: <suruti94@gmail.com>
X-Original-To: dnsext@ietfa.amsl.com
Delivered-To: dnsext@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id D85AB21F8540 for <dnsext@ietfa.amsl.com>; Fri, 13 Jan 2012 10:33:15 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.619
X-Spam-Level:
X-Spam-Status: No, score=-2.619 tagged_above=-999 required=5 tests=[AWL=-0.980, BAYES_00=-2.599, RCVD_IN_BL_SPAMCOP_NET=1.96, RCVD_IN_DNSWL_LOW=-1]
Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id abC4L-zMGmOq for <dnsext@ietfa.amsl.com>; Fri, 13 Jan 2012 10:33:15 -0800 (PST)
Received: from mail-tul01m020-f172.google.com (mail-tul01m020-f172.google.com [209.85.214.172]) by ietfa.amsl.com (Postfix) with ESMTP id 6177921F852B for <dnsext@ietf.org>; Fri, 13 Jan 2012 10:33:14 -0800 (PST)
Received: by obcwo10 with SMTP id wo10so3148726obc.31 for <dnsext@ietf.org>; Fri, 13 Jan 2012 10:33:13 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=gamma; h=mime-version:in-reply-to:references:date:message-id:subject:from:to :cc:content-type:content-transfer-encoding; bh=jMiqVCLM+RbGTHYpE7pr2efvCZMp27wDyipBKjxIVuw=; b=P4h5RrpK69w+vJCzr9Iy2NJmn4eGQ0DJc9XvgDXUBNq4fPGvxGiBWh4kgYqx+zb2JP R/Nz5dM7/4DctFgO+aeEr3Vz18ANhveA/2YVrwgDdabF+oV0+YJMN2mdVwjxcZXlBhl1 Nw0kt9NaxHTrKZ8SjxNwM7XiTHsCTAv99wvMc=
MIME-Version: 1.0
Received: by 10.182.40.66 with SMTP id v2mr1807730obk.15.1326479593862; Fri, 13 Jan 2012 10:33:13 -0800 (PST)
Received: by 10.182.147.105 with HTTP; Fri, 13 Jan 2012 10:33:13 -0800 (PST)
In-Reply-To: <alpine.BSF.2.00.1201122318080.86374@fledge.watson.org>
References: <a06240801cabc9d0de24d@192.168.129.103> <alpine.BSF.2.00.1201122318080.86374@fledge.watson.org>
Date: Fri, 13 Jan 2012 10:33:13 -0800
Message-ID: <CACU5sDnPJxPqQJ455iDeyvLaABk0HUnvNh1aPeq21XQuevqKkg@mail.gmail.com>
From: Mohan Parthasarathy <suruti94@gmail.com>
To: Samuel Weiler <weiler@watson.org>
Content-Type: text/plain; charset="ISO-8859-1"
Content-Transfer-Encoding: quoted-printable
Cc: dnsext@ietf.org
Subject: Re: [dnsext] Related to section 5.1 of dnssec-bis-updates (-14)
X-BeenThere: dnsext@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: DNS Extensions working group discussion list <dnsext.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dnsext>, <mailto:dnsext-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/dnsext>
List-Post: <mailto:dnsext@ietf.org>
List-Help: <mailto:dnsext-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dnsext>, <mailto:dnsext-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 13 Jan 2012 18:33:16 -0000

On Thu, Jan 12, 2012 at 8:20 PM, Samuel Weiler <weiler@watson.org> wrote:
> I don't recall seeing much discussion of the below.  As doc editor, I would
> like to hear an extra voice or three chime in before I fix this.
>
> As I understand Ed's message, the (signer) name in an RRSIG does need to be
> downcased.  The next name in a NSEC RR does NOT need to be downcased.  Is
> that right?
+1. Sometime back there was an email thread (which I can't locate now)
where the signature verification failed if you don't downcase for
something in .US zone.

-mohan

>
>
> On Thu, 13 Oct 2011, Edward Lewis wrote:
>
>> In this section of the still-a-draft update to the DNSSEC definition of
>> RFC 4033-4035 an issue has arisen that needs to be addressed.
>>
>> # http://tools.ietf.org/html/draft-ietf-dnsext-dnssec-bis-updates-14
>> #
>> #5.1.  Errors in Canonical Form Type Code List
>> #
>> #   When canonicalizing DNS names, DNS names in the RDATA section of NSEC
>> #   and RRSIG resource records are not downcased.
>> #
>> #   [RFC4034] Section 6.2 item 3 has a list of resource record types for
>> #   which DNS names in the RDATA are downcased for purposes of DNSSEC
>> #   canonical form (for both ordering and signing).  That list
>> #   erroneously contains NSEC and RRSIG.  According to [RFC3755], DNS
>> #   names in the RDATA of NSEC and RRSIG should not be downcased.
>> #
>> #   The same section also erroneously lists HINFO, and twice at that.
>> #   Since HINFO records contain no domain names, they are not subject to
>> #   downcasing.
>>
>> For the purposes of this email a "major implementation" refers to a widely
>> distributed general purpose implementation of DNS.  It's become apparent
>> that two major implementations of validators have differed on downcaseing
>> the RRSIG.
>>
>> We've been trying to determine why this problem hasn't surfaced in a
>> real-world outage.  It seems that all major implementations of signers down
>> case
>> the RRSIG before signing.
>>
>> Treat this as a suggestion.  Unexcuse RRSIG from the list of names that
>> avoid downcasing.  (NSEC is not a problem.)  Any thoughts?
>>
>> --
>>
>> -=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-
>> Edward Lewis
>> NeuStar                    You can leave a voice message at
>> +1-571-434-5468
>>
>> Vote for the word of the day:
>> "Papa"razzi - father that constantly takes photos of the baby
>> Corpureaucracy - The institution of corporate "red tape"
>>
>
> _______________________________________________
> dnsext mailing list
> dnsext@ietf.org
> https://www.ietf.org/mailman/listinfo/dnsext
>

v2.23.0 | Report a Bug | By Email