IETF Logo Mail Archive

Re: [dnsext] RRSIG signer name down-casing

Sean Wells <snwells82@gmail.com> Tue, 28 June 2011 19:23 UTC

Return-Path: <dnsext-bounces@ietf.org>
X-Original-To: namedroppers-archive-gleetwall6@lists.ietf.org
Delivered-To: ietfarch-namedroppers-archive-gleetwall6@ietfa.amsl.com
Received: from ietfa.amsl.com (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 9A55411E818B; Tue, 28 Jun 2011 12:23:18 -0700 (PDT)
X-Original-To: dnsext@ietfa.amsl.com
Delivered-To: dnsext@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id D5C1611E818B for <dnsext@ietfa.amsl.com>; Tue, 28 Jun 2011 12:23:16 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.932
X-Spam-Level:
X-Spam-Status: No, score=-1.932 tagged_above=-999 required=5 tests=[BAYES_00=-2.599, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_LOW=-1, SARE_HTML_USL_OBFU=1.666]
Received: from mail.ietf.org ([64.170.98.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 2tQlZlE5nwBc for <dnsext@ietfa.amsl.com>; Tue, 28 Jun 2011 12:23:16 -0700 (PDT)
Received: from mail-vx0-f194.google.com (mail-vx0-f194.google.com [209.85.220.194]) by ietfa.amsl.com (Postfix) with ESMTP id 2002511E8100 for <dnsext@ietf.org>; Tue, 28 Jun 2011 12:23:15 -0700 (PDT)
Received: by vxc11 with SMTP id 11so42813vxc.1 for <dnsext@ietf.org>; Tue, 28 Jun 2011 12:23:15 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=gamma; h=mime-version:in-reply-to:references:date:message-id:subject:from:to :cc:content-type; bh=QlyS9z2GysQeRwdyOGzNiFhLtToHTo65IbxQn7jLcFw=; b=U/lcLgX87nIw6K59Nq5fW0m5jnSLiRsz2BGJSo0ibv3BEchGzriCwIrkEac5NjTvw6 OlG15eMtjGKy5WWtFMWDnXMch+cAGkTIlWQ8AA5XOtvNyaksciIxr0rd5yGvkq6XvhGD Z1HUSaPHAF8mZ4zogTJgs4sNhboloEZB30nKc=
MIME-Version: 1.0
Received: by 10.220.48.203 with SMTP id s11mr1836700vcf.112.1309288995079; Tue, 28 Jun 2011 12:23:15 -0700 (PDT)
Received: by 10.220.198.200 with HTTP; Tue, 28 Jun 2011 12:23:15 -0700 (PDT)
In-Reply-To: <a06240800ca264c0fde66@192.168.1.104>
References: <396B6F93A3774482A4DFAFD458C56BA0@local> <a06240800ca264c0fde66@192.168.1.104>
Date: Tue, 28 Jun 2011 12:23:15 -0700
Message-ID: <BANLkTinCY3Ljvr9HWV6V3=6eV1557KsU0Q@mail.gmail.com>
From: Sean Wells <snwells82@gmail.com>
To: Edward Lewis <Ed.Lewis@neustar.biz>
Cc: dnsext@ietf.org
Subject: Re: [dnsext] RRSIG signer name down-casing
X-BeenThere: dnsext@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: DNS Extensions working group discussion list <dnsext.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dnsext>, <mailto:dnsext-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/dnsext>
List-Post: <mailto:dnsext@ietf.org>
List-Help: <mailto:dnsext-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dnsext>, <mailto:dnsext-request@ietf.org?subject=subscribe>
Content-Type: multipart/mixed; boundary="===============5579170483854772634=="
Sender: dnsext-bounces@ietf.org
Errors-To: dnsext-bounces@ietf.org

On Tue, Jun 21, 2011 at 6:38 AM, Edward Lewis <Ed.Lewis@neustar.biz> wrote:

> At 8:57 +0100 6/21/11, George Barwood wrote:
>
>  It seems that the signer name has to be down-cased for this signature to
>> verify.
>>
>> However this is contrary to http://tools.ietf.org/html/**
>> draft-ietf-dnsext-dnssec-bis-**updates-12#section-5.1<http://tools.ietf.org/html/draft-ietf-dnsext-dnssec-bis-updates-12#section-5.1>
>>
>>   When canonicalizing DNS names, DNS names in the RDATA section of NSEC
>>   and RRSIG resource records are not downcased.
>>
>> But existing validators don't fail, so it seems they do down-case.
>>
>> Hence I'm confused. Is dnssec-bis-updates "wrong"?
>>
>
> This discussion came up recently on some list.  The answer is that the case
> doesn't matter, uh, in this case.  The only time a domain name in the RDATA
> has to be down cased is when it can be compressed.
>
> The reason is - without compression, the RR will appear in a response the
> same as it was generated (outside of forgeries, which is what DNSSEC is
> about).  With compression, the case used for the domain name in the RDATA
> depends on what comes first in the response.
>
> I am a little confused about this. As per RFC 4034, the signer name cannot
be compressed and for signature calculation it should be lower case. So, it
is possible that the received RRSIG has "ORG" in the signer name whereas the
signature was computed with "org" ?


> --
> -=-=-=-=-=-=-=-=-=-=-=-=-=-=-=**-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=**
> -=-=-=-=-=-=-=-
> Edward Lewis
> NeuStar                    You can leave a voice message at
> +1-571-434-5468
>
> I'm overly entertained.
>
> ______________________________**_________________
> dnsext mailing list
> dnsext@ietf.org
> https://www.ietf.org/mailman/**listinfo/dnsext<https://www.ietf.org/mailman/listinfo/dnsext>
>



-- 
Sean

_______________________________________________
dnsext mailing list
dnsext@ietf.org
https://www.ietf.org/mailman/listinfo/dnsext

v2.23.0 | Report a Bug | By Email