IETF Logo Mail Archive

Re: [dnsext] Related to section 5.1 of dnssec-bis-updates (-14)

Mark Andrews <marka@isc.org> Mon, 16 January 2012 22:57 UTC

Return-Path: <dnsext-bounces@ietf.org>
X-Original-To: namedroppers-archive-gleetwall6@lists.ietf.org
Delivered-To: ietfarch-namedroppers-archive-gleetwall6@ietfa.amsl.com
Received: from ietfa.amsl.com (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id C6A3E21F867A; Mon, 16 Jan 2012 14:57:17 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=ietf.org; s=ietf1; t=1326754637; bh=jiA2kIAbHvY/GRRjDZ/UUEc9xjsec3w6tVfdDzXC8K4=; h=To:From:References:In-reply-to:Date:Message-Id:Cc:Subject:List-Id: List-Unsubscribe:List-Archive:List-Post:List-Help:List-Subscribe: MIME-Version:Content-Type:Content-Transfer-Encoding:Sender; b=ckau/FXuEf59fqPmDGLK2FFgs3Me0Mz9iG33eafSladRw9Fufn3qnqv+iJ2m+rfbt 1Z3ABY6t3+1BPnsaAJ7Q5mKqw/kVGOM7AyP8PA58BgQHY3ZKzf9SjwFKSm9GEVUYNv Um/PB13Wb4Y29q3cxJ0UwgTLtCq1eDYPi3gpFDzg=
X-Original-To: dnsext@ietfa.amsl.com
Delivered-To: dnsext@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 3CC7821F867A for <dnsext@ietfa.amsl.com>; Mon, 16 Jan 2012 14:57:17 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.481
X-Spam-Level:
X-Spam-Status: No, score=-2.481 tagged_above=-999 required=5 tests=[AWL=0.118, BAYES_00=-2.599]
Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id n+ZhbZxS8D3D for <dnsext@ietfa.amsl.com>; Mon, 16 Jan 2012 14:57:16 -0800 (PST)
Received: from mx.ams1.isc.org (mx.ams1.isc.org [IPv6:2001:500:60::65]) by ietfa.amsl.com (Postfix) with ESMTP id D21FA21F8605 for <dnsext@ietf.org>; Mon, 16 Jan 2012 14:57:15 -0800 (PST)
Received: from bikeshed.isc.org (bikeshed.isc.org [IPv6:2001:4f8:3:d::19]) (using TLSv1 with cipher DHE-RSA-CAMELLIA256-SHA (256/256 bits)) (Client CN "bikeshed.isc.org", Issuer "ISC CA" (verified OK)) by mx.ams1.isc.org (Postfix) with ESMTPS id 492135F98A2; Mon, 16 Jan 2012 22:56:53 +0000 (UTC) (envelope-from marka@isc.org)
Received: from drugs.dv.isc.org (unknown [IPv6:2001:470:1f00:820:7db4:152d:79c6:de25]) (using TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits)) (Client did not present a certificate) by bikeshed.isc.org (Postfix) with ESMTPSA id 46C2B216C6D; Mon, 16 Jan 2012 22:56:51 +0000 (UTC) (envelope-from marka@isc.org)
Received: from drugs.dv.isc.org (localhost [127.0.0.1]) by drugs.dv.isc.org (Postfix) with ESMTP id C09331B780C2; Tue, 17 Jan 2012 09:56:48 +1100 (EST)
To: Samuel Weiler <weiler@watson.org>
From: Mark Andrews <marka@isc.org>
References: <a06240801cabc9d0de24d@192.168.129.103> <alpine.BSF.2.00.1201122318080.86374@fledge.watson.org> <CACU5sDnPJxPqQJ455iDeyvLaABk0HUnvNh1aPeq21XQuevqKkg@mail.gmail.com> <20120113225013.642F21B13171@drugs.dv.isc.org> <4F13F208.8010908@nlnetlabs.nl> <4F14359F.8050206@nlnetlabs.nl> <alpine.BSF.2.00.1201161002280.10245@fledge.watson.org>
In-reply-to: Your message of "Mon, 16 Jan 2012 10:04:51 CDT." <alpine.BSF.2.00.1201161002280.10245@fledge.watson.org>
Date: Tue, 17 Jan 2012 09:56:48 +1100
Message-Id: <20120116225648.C09331B780C2@drugs.dv.isc.org>
Cc: dnsext@ietf.org
Subject: Re: [dnsext] Related to section 5.1 of dnssec-bis-updates (-14)
X-BeenThere: dnsext@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: DNS Extensions working group discussion list <dnsext.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dnsext>, <mailto:dnsext-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/dnsext>
List-Post: <mailto:dnsext@ietf.org>
List-Help: <mailto:dnsext-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dnsext>, <mailto:dnsext-request@ietf.org?subject=subscribe>
MIME-Version: 1.0
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: 7bit
Sender: dnsext-bounces@ietf.org
Errors-To: dnsext-bounces@ietf.org

In message <alpine.BSF.2.00.1201161002280.10245@fledge.watson.org>, Samuel Weil
er writes:
> Thank you for the history.  Going forward, what's the best thing to do 
> in the interest of interoperability?
> 
> It may be worth asking not only what signers do but also what existing 
> validators do.  If we've only seen problems with this in the wild once 
> (perhaps?) then there may be an ugly but interoperable answer we can 
> document for the future.
> 
> -- Sam

If we emit downcased "Signer Name"s then it does not matter what the
validator does.

To the best of my knowledge no one uses domain name compression on
these names so as long as the signer only uses and emits a downcased
version of the name it will interoperate regardless of what the
validator does.  i.e. Build the RRSIG with a downcased signer name
rather than downcasing signer name when adding it to the digest.

If you are signing with "MiXeD.ExAmPlE" then the signer name in the
RRSIG is "mixed.example".

Unfortunately I missed removing the downcase step for RRSIGs when
I did the type code roll fixes years ago.

> On Mon, 16 Jan 2012, W.C.A. Wijngaards wrote:
> 
> > -----BEGIN PGP SIGNED MESSAGE-----
> > Hash: SHA1
> >
> > Hi Sam,
> >
> > Just to clarify my previous mail: what we implement is RFC3755.  This
> > states no downcasing in the rdata of NSEC and RRSIG.
> >
> > To see how we came to this implementation I searched through mail from
> > 2007.  I found that the reason for this is that we first implemented
> > RFC4034, but that typecodelist in 4034 contained errors (double HINFO,
> > includes NSEC and RRSIG in a copy-paste-rename-mistake from RFC2535 or
> > something like that).  This brought to light differences in
> > implementations from before RFC4034 and after RFC4034.  Because of
> > this we changed to implement RFC3755 and in dnssec-bis-updates-06 it
> > is then listed this as something to fix in RFC4034, and it states the
> > RFC3755 rules.  This is there until -16 (last week) where it changes.
> >
> > Downcasing is not necessary in NSEC and RRSIG, downcase before
> > signature verify and create is only needed in case
> > dname-compression-and-decompression has removed upper-lowercase
> > differences.  The domain names in the rdata of NSEC and RRSIG are not
> > compressed, and thus case is preserved.  So, a downcase operation is
> > not needed (in principle).
> >
> > So, currently we stay with RFC3755, because we want to implement
> > standards RFCs, and not drafts if possible.  RFC3755 is obsoleted by
> > RFC4034, but as already discussed on namedroppers, its typecodelist
> > was erroneous. And therefore we ignored that list in RFC4034.  Thus
> > our implementation matches the dnssec-bis-updates draft versions -06
> > to -15 in this respect.  Regardless of the outcome of this
> > interoperability problem, we will implement RFCs and thus the RFC that
> > comes out of dnssec-bis-updates, whether that downcases both(4034),
> > neither(3755) or something else(draft-16).
> >
> > Best regards,
> >   Wouter
> >
> > On 01/16/2012 10:46 AM, W.C.A. Wijngaards wrote:
> >> Hi Mark,
> >>
> >> On 01/13/2012 11:50 PM, Mark Andrews wrote:
> >>>>> I don't recall seeing much discussion of the below. =A0As
> >>>>> doc editor, I w=
> >>>> ould
> >>>>> like to hear an extra voice or three chime in before I fix
> >>>>> this.
> >>>>>
> >>>>> As I understand Ed's message, the (signer) name in an RRSIG
> >>>>> does need to =
> >>>> be
> >>>>> downcased. =A0The next name in a NSEC RR does NOT need to be
> >>>>> downcased. =
> >>>> =A0Is
> >>>>> that right?
> >>>> +1. Sometime back there was an email thread (which I can't
> >>>> locate now) where the signature verification failed if you
> >>>> don't downcase for something in .US zone.
> >>
> >>> named downcases the RRSIG's Signer's Name named does not
> >>> downcase NSEC's Next Domain Name.
> >>
> >> unbound does not downcase RRSIG signername and does not downcase
> >> NSEC nextdomain name for DNSSEC validation.
> >>
> >> ldns rr canonicalisation does not downcase RRSIG signername and
> >> NSEC nextdomain.  So, this is for ldns-signzone and verify.
> >>
> >> opendnssec produces lowercase signernames in its RRSIGs, and thus
> >> it does not matter if they are downcased or not (for the RRSIGs
> >> produced by the opendnssec signer).
> >>
> >> It started with HINFO, where, today, the rdata is not downcased by
> >> unbound, ldns.
> >>
> >> Best regards, Wouter
> >> _______________________________________________ dnsext mailing
> >> list dnsext@ietf.org https://www.ietf.org/mailman/listinfo/dnsext
> >
> > -----BEGIN PGP SIGNATURE-----
> > Version: GnuPG v1.4.11 (GNU/Linux)
> > Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/
> >
> > iQIcBAEBAgAGBQJPFDWfAAoJEJ9vHC1+BF+NZL4P/Rrs1hl9q02hlU8c83M1BgxT
> > v3KPpVQ2369LpY5Vr/0SOUu5W8l8J76pcpkkameKg4PKfW2nzrdUVKD7i/KBmC3h
> > 9C9pDzLyamXofG7oxCFAFXOYYJkJ4tXjr31SHfhxsb0YxfvuZE80ZZiOk5+3IhJF
> > kWQnUOoIMQMXttCLW6ecHk/i7JhE6gn/7+P8uw3ElunKXqZSleZ42cKIx5WHK+Wg
> > 0VNOd3SctuHw41HrtN9O0na7HN/FQr38Gq3tE5+UtFxv1h7hLs+nH2X1Zk2gM9bx
> > 5LXpOdMyvuDlHr7jvyPf4v6JSP2XhbRENe3DNonixK41TQ4laDlHbmbWsFQyjZYD
> > +CN8vO+w4Mh0TeB6QLEfQAO922l4mR7ts8FwgDYCl0nejoNUU99bb1VVY/6Laa22
> > jd8CwcCYqI/pvxcuuTf/kaqOryizyJ5oBFgDSlaKr42AHqmG6vVtXZoamr1Zi248
> > UjHDe2bYnY+uf3OpfVvI3Smbs6vFoBY0Xkj4RMAlupPpNvEXeJwtx+k1TQ/E9f7n
> > Yh/QMz32Q86TTXR33/9HDIJvF6e7b2WLMGkOUZVTMMzqI3EZiPg2mDbzAhcs1j1G
> > tgIweyfpSwYWhykPIIYL0FHCxHsqF2dm59wFn2Bo0B9fdTdoVB0D2iW+9ctnrZbl
> > g/mH7UFd4xsNImX2ZNEG
> > =n3EK
> > -----END PGP SIGNATURE-----
> > _______________________________________________
> > dnsext mailing list
> > dnsext@ietf.org
> > https://www.ietf.org/mailman/listinfo/dnsext
> >
> _______________________________________________
> dnsext mailing list
> dnsext@ietf.org
> https://www.ietf.org/mailman/listinfo/dnsext
-- 
Mark Andrews, ISC
1 Seymour St., Dundas Valley, NSW 2117, Australia
PHONE: +61 2 9871 4742                 INTERNET: marka@isc.org
_______________________________________________
dnsext mailing list
dnsext@ietf.org
https://www.ietf.org/mailman/listinfo/dnsext

v2.23.0 | Report a Bug | By Email