[dnsext] Related to section 5.1 of dnssec-bis-updates (-14)

[Edward Lewis <Ed.Lewis@neustar.biz>]

In this section of the still-a-draft update to the DNSSEC definition 
of RFC 4033-4035 an issue has arisen that needs to be addressed.

# http://tools.ietf.org/html/draft-ietf-dnsext-dnssec-bis-updates-14
#
#5.1.  Errors in Canonical Form Type Code List
#
#   When canonicalizing DNS names, DNS names in the RDATA section of NSEC
#   and RRSIG resource records are not downcased.
#
#   [RFC4034] Section 6.2 item 3 has a list of resource record types for
#   which DNS names in the RDATA are downcased for purposes of DNSSEC
#   canonical form (for both ordering and signing).  That list
#   erroneously contains NSEC and RRSIG.  According to [RFC3755], DNS
#   names in the RDATA of NSEC and RRSIG should not be downcased.
#
#   The same section also erroneously lists HINFO, and twice at that.
#   Since HINFO records contain no domain names, they are not subject to
#   downcasing.

For the purposes of this email a "major implementation" refers to a 
widely distributed general purpose implementation of DNS.  It's 
become apparent that two major implementations of validators have 
differed on downcaseing the RRSIG.

We've been trying to determine why this problem hasn't surfaced in a 
real-world outage.  It seems that all major implementations of 
signers down case the RRSIG before signing.

Treat this as a suggestion.  Unexcuse RRSIG from the list of names 
that avoid downcasing.  (NSEC is not a problem.)  Any thoughts?
-- 
-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-
Edward Lewis             
NeuStar                    You can leave a voice message at +1-571-434-5468

Vote for the word of the day:
"Papa"razzi - father that constantly takes photos of the baby
Corpureaucracy - The institution of corporate "red tape"