Re: [dnsext] draft-ietf-dnsext-dnssec-bis-updates-11 Errors in Canonical Form Type Code List
Matthijs Mekking <matthijs@NLnetLabs.nl> Mon, 29 March 2010 10:12 UTC
Return-Path: <owner-namedroppers@ops.ietf.org>
X-Original-To: ietfarch-namedroppers-archive-gleetwall6@core3.amsl.com
Delivered-To: ietfarch-namedroppers-archive-gleetwall6@core3.amsl.com
Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id 4DFB03A6943; Mon, 29 Mar 2010 03:12:29 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: 1.131
X-Spam-Level: *
X-Spam-Status: No, score=1.131 tagged_above=-999 required=5 tests=[BAYES_50=0.001, DNS_FROM_OPENWHOIS=1.13]
Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id ZAQlwpJXOof6; Mon, 29 Mar 2010 03:12:28 -0700 (PDT)
Received: from psg.com (psg.com [IPv6:2001:418:1::62]) by core3.amsl.com (Postfix) with ESMTP id ACFD43A6860; Mon, 29 Mar 2010 03:12:27 -0700 (PDT)
Received: from majordom by psg.com with local (Exim 4.71 (FreeBSD)) (envelope-from <owner-namedroppers@ops.ietf.org>) id 1NwBru-0004Wt-2X for namedroppers-data0@psg.com; Mon, 29 Mar 2010 10:06:50 +0000
Received: from [2001:7b8:206:1::1] (helo=open.nlnetlabs.nl) by psg.com with esmtps (TLSv1:AES256-SHA:256) (Exim 4.71 (FreeBSD)) (envelope-from <matthijs@nlnetlabs.nl>) id 1NwBrr-0004WU-K1 for namedroppers@ops.ietf.org; Mon, 29 Mar 2010 10:06:48 +0000
Received: from [192.168.1.9] (ip123-112-174-82.adsl2.static.versatel.nl [82.174.112.123]) (authenticated bits=0) by open.nlnetlabs.nl (8.14.3/8.14.3) with ESMTP id o2TA6fRK088503 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=NO); Mon, 29 Mar 2010 12:06:43 +0200 (CEST) (envelope-from matthijs@nlnetlabs.nl)
Message-ID: <4BB07C0F.7000802@nlnetlabs.nl>
Date: Mon, 29 Mar 2010 12:08:15 +0200
From: Matthijs Mekking <matthijs@NLnetLabs.nl>
Organization: NLnet Labs
User-Agent: Thunderbird 2.0.0.24 (X11/20100317)
MIME-Version: 1.0
To: George Barwood <george.barwood@blueyonder.co.uk>
CC: namedroppers@ops.ietf.org
Subject: Re: [dnsext] draft-ietf-dnsext-dnssec-bis-updates-11 Errors in Canonical Form Type Code List
References: <C004FE8F7AB34BE7960C16896AB9BBC2@localhost>
In-Reply-To: <C004FE8F7AB34BE7960C16896AB9BBC2@localhost>
X-Enigmail-Version: 0.95.7
Content-Type: text/plain; charset="ISO-8859-1"
Content-Transfer-Encoding: 7bit
X-Greylist: Sender succeeded SMTP AUTH, not delayed by milter-greylist-4.2.3 (open.nlnetlabs.nl [213.154.224.1]); Mon, 29 Mar 2010 12:06:44 +0200 (CEST)
Sender: owner-namedroppers@ops.ietf.org
Precedence: bulk
List-ID: <namedroppers.ops.ietf.org>
List-Unsubscribe: To unsubscribe send a message to namedroppers-request@ops.ietf.org with
List-Unsubscribe: the word 'unsubscribe' in a single line as the message text body.
List-Archive: <http://ops.ietf.org/lists/namedroppers/>
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 George Barwood wrote: > http://tools.ietf.org/html/draft-ietf-dnsext-dnssec-bis-updates-11#section-5.1 > > states > > "When canonicalizing DNS names, DNS names in the RDATA section of NSEC > and RRSIG resource records are not downcased." > > citing RFC 3755. > > I have some comments: > > (1) RRSIG records do not need or have a canonical form, since they are not themselves ever signed. > So the RRSIG reference makes no sense ( unless I'm missing something ). But they should still be consistent with RFC3597. > (2) RFC 4034 obsoletes RFC3755, so the citation seems odd. I prefer what RFC 4034 says, > and don't think it this is an error, rather an improvement. Again, the text is inconsistent with RFC3597. > (3) In view of the possibility of interoperability problems, I suggest that signers > should downcase DNS names in the RDATA section of NSEC and NSEC3 records > in the signed output. That ensures that signatures will verify regardless of whether a > resolver has implemented RFC 4034 or RFC 3755. And again... The downcasing in the RDATA of NSEC records is ensured by sorting the zone in canonical order, in prior of creating NSEC records. Best regards, Matthijs Mekking NLnet Labs > Since the DNS names in NSEC3 RDATA are generated by the signer, this is the obvious choice in any case, > and almost certainly what current implementations do. The examples in RFC 5155 all show lower-case names, but > there doesn't seem to be any definitive statement that rules out upper case names. A statement to that effect might be useful. > > George -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.9 (GNU/Linux) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org iQEcBAEBAgAGBQJLsHwNAAoJEA8yVCPsQCW5YpgIAIkkDqux86izcBTuUWfyku3x 8bkwI1A99bXH6eHbUlaZ3fyKddjLcwzTUfgZcuKo884wFO/KorIc9shN9J9yF5bb wND5wtROtT049iDUSXBSa79KVydzI7eFQ2Jdrh+o8LhbegAkDbTyWdc3UvRxS6fe KtPOuSahVEyuEVwzVbCZka+0FHi2a6S0wIJWq8I/xtE4xw8a/1PHtYcq2FNuqxQX ysAl6YUoAlZLfeH5Iwl+638nMWxdItuLQEUwqKXmbEhnvE1x2hZqGgQcAb2WTfPG pu15tavdbhIwtHdYiKRza4netWWNZE/lP82/FFjogNza8M59FiWIuRXTtkERjlQ= =PSG9 -----END PGP SIGNATURE-----
- Re: [dnsext] draft-ietf-dnsext-dnssec-bis-updates… Matthijs Mekking