IETF Logo Mail Archive

[dnsext] spaces in hex DS digest, NSEC3 salt and SSHFP

bert hubert <bert.hubert@netherlabs.nl> Wed, 19 January 2011 19:01 UTC

Return-Path: <ahu@xs.powerdns.com>
X-Original-To: dnsext@core3.amsl.com
Delivered-To: dnsext@core3.amsl.com
Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id 990083A719D for <dnsext@core3.amsl.com>; Wed, 19 Jan 2011 11:01:08 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -0.141
X-Spam-Level:
X-Spam-Status: No, score=-0.141 tagged_above=-999 required=5 tests=[BAYES_20=-0.74, J_CHICKENPOX_45=0.6, NO_RELAYS=-0.001]
Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id e+H9mxCLuPHB for <dnsext@core3.amsl.com>; Wed, 19 Jan 2011 11:01:08 -0800 (PST)
Received: from xs.powerdns.com (xs.powerdns.com [IPv6:2001:888:2000:1d::2]) by core3.amsl.com (Postfix) with ESMTP id 957623A7195 for <dnsext@ietf.org>; Wed, 19 Jan 2011 11:01:07 -0800 (PST)
Received: from ahu by xs.powerdns.com with local (Exim 4.69) (envelope-from <ahu@xs.powerdns.com>) id 1PfdJq-0003dj-S8 for dnsext@ietf.org; Wed, 19 Jan 2011 20:03:46 +0100
Date: Wed, 19 Jan 2011 20:03:46 +0100
From: bert hubert <bert.hubert@netherlabs.nl>
To: dnsext@ietf.org
Message-ID: <20110119190346.GA13422@xs.powerdns.com>
MIME-Version: 1.0
Content-Type: text/plain; charset="us-ascii"
Content-Disposition: inline
User-Agent: Mutt/1.5.20 (2009-06-14)
Subject: [dnsext] spaces in hex DS digest, NSEC3 salt and SSHFP
X-BeenThere: dnsext@ietf.org
X-Mailman-Version: 2.1.9
Precedence: list
List-Id: DNS Extensions working group discussion list <dnsext.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/listinfo/dnsext>, <mailto:dnsext-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/dnsext>
List-Post: <mailto:dnsext@ietf.org>
List-Help: <mailto:dnsext-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dnsext>, <mailto:dnsext-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 19 Jan 2011 19:01:08 -0000

Hi everybody,

PowerDNSSEC turns out to be confused by spaces in the database (or zone
file) in the DS digest. It terminates the digest at the first non-hex
character.

The venerable 'dig' tool emits DS digest type 2 with spaces:
powerdns.nl.		7200	IN	NS	powerdnssec2.ds9a.nl.
powerdns.nl.		7200	IN	NS	powerdnssec1.ds9a.nl.
powerdns.nl.		7200	IN	DS	7354 8 2
F238862D8DFCB5C837D33E28C0D318191DBA76FFC87C6F053D2AD67E 22BF1D7C

RFC 3658 says: 

 'The presentation format of the DS record consists of three numbers
  (key tag, algorithm, and digest type) followed by the digest itself
  presented in hex'

It says nothing about spaces in the hex. Of course we could be liberal in
what we accept, however, there is also the NSEC3 and NSEC3PARAM which store
the salt.. in hex.

RFC5155 says:

	The Salt field is represented as a sequence of case-insensitive
      	hexadecimal digits.  Whitespace is not allowed within the
      	sequence.

Finally, SSHFP is the third type that encodes hex blobs, and RFC 4255
states:

   'The RDATA of the presentation format of the SSHFP resource record
   consists of two numbers (algorithm and fingerprint type) followed by
   the fingerprint itself, presented in hex"

Sadly this breaks the nice symmetry where we had only one 'hexBlob', one
that terminates at the first space.

Because 'dig' is so widely distributed, I'm afraid we'll have no choice but
to butcher PowerDNS into dealing with the spaces, but what do people think?
Do spaces belong in hex blobs, and in the DS specifically?

	Bert

v2.23.0 | Report a Bug | By Email