IETF Logo Mail Archive

Re: [dnsext] RRSIG signer name down-casing

Edward Lewis <Ed.Lewis@neustar.biz> Tue, 21 June 2011 13:38 UTC

Return-Path: <Ed.Lewis@neustar.biz>
X-Original-To: dnsext@ietfa.amsl.com
Delivered-To: dnsext@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 4176911E8096 for <dnsext@ietfa.amsl.com>; Tue, 21 Jun 2011 06:38:24 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -106.213
X-Spam-Level:
X-Spam-Status: No, score=-106.213 tagged_above=-999 required=5 tests=[AWL=0.386, BAYES_00=-2.599, RCVD_IN_DNSWL_MED=-4, USER_IN_WHITELIST=-100]
Received: from mail.ietf.org ([64.170.98.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id OmowqCN+1OhC for <dnsext@ietfa.amsl.com>; Tue, 21 Jun 2011 06:38:23 -0700 (PDT)
Received: from stora.ogud.com (stora.ogud.com [66.92.146.20]) by ietfa.amsl.com (Postfix) with ESMTP id 0193111E809F for <dnsext@ietf.org>; Tue, 21 Jun 2011 06:38:22 -0700 (PDT)
Received: from Work-Laptop-2.local (nyttbox.md.ogud.com [10.20.30.4]) by stora.ogud.com (8.14.4/8.14.4) with ESMTP id p5LDcI5s035169; Tue, 21 Jun 2011 09:38:19 -0400 (EDT) (envelope-from Ed.Lewis@neustar.biz)
Received: from [10.31.204.119] by Work-Laptop-2.local (PGP Universal service); Tue, 21 Jun 2011 09:38:19 -0400
X-PGP-Universal: processed; by Work-Laptop-2.local on Tue, 21 Jun 2011 09:38:19 -0400
Mime-Version: 1.0
Message-Id: <a06240800ca264c0fde66@[192.168.1.104]>
In-Reply-To: <396B6F93A3774482A4DFAFD458C56BA0@local>
References: <396B6F93A3774482A4DFAFD458C56BA0@local>
Date: Tue, 21 Jun 2011 09:38:10 -0400
To: George Barwood <george.barwood@blueyonder.co.uk>
From: Edward Lewis <Ed.Lewis@neustar.biz>
Content-Type: text/plain; charset="us-ascii"; format="flowed"
X-Scanned-By: MIMEDefang 2.68 on 10.20.30.4
Cc: dnsext@ietf.org
Subject: Re: [dnsext] RRSIG signer name down-casing
X-BeenThere: dnsext@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: DNS Extensions working group discussion list <dnsext.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dnsext>, <mailto:dnsext-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/dnsext>
List-Post: <mailto:dnsext@ietf.org>
List-Help: <mailto:dnsext-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dnsext>, <mailto:dnsext-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 21 Jun 2011 13:38:24 -0000

At 8:57 +0100 6/21/11, George Barwood wrote:

>It seems that the signer name has to be down-cased for this 
>signature to verify.
>
>However this is contrary to 
>http://tools.ietf.org/html/draft-ietf-dnsext-dnssec-bis-updates-12#section-5.1
>
>    When canonicalizing DNS names, DNS names in the RDATA section of NSEC
>    and RRSIG resource records are not downcased.
>
>But existing validators don't fail, so it seems they do down-case.
>
>Hence I'm confused. Is dnssec-bis-updates "wrong"?

This discussion came up recently on some list.  The answer is that 
the case doesn't matter, uh, in this case.  The only time a domain 
name in the RDATA has to be down cased is when it can be compressed.

The reason is - without compression, the RR will appear in a response 
the same as it was generated (outside of forgeries, which is what 
DNSSEC is about).  With compression, the case used for the domain 
name in the RDATA depends on what comes first in the response.

-- 
-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-
Edward Lewis
NeuStar                    You can leave a voice message at +1-571-434-5468

I'm overly entertained.

v2.23.0 | Report a Bug | By Email