Re: [dnsext] Related to section 5.1 of dnssec-bis-updates (-14)
Mark Andrews <marka@isc.org> Mon, 16 January 2012 22:57 UTC
Return-Path: <dnsext-bounces@ietf.org>
X-Original-To: namedroppers-archive-gleetwall6@lists.ietf.org
Delivered-To: ietfarch-namedroppers-archive-gleetwall6@ietfa.amsl.com
Received: from ietfa.amsl.com (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id C6A3E21F867A; Mon, 16 Jan 2012 14:57:17 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=ietf.org; s=ietf1; t=1326754637; bh=jiA2kIAbHvY/GRRjDZ/UUEc9xjsec3w6tVfdDzXC8K4=; h=To:From:References:In-reply-to:Date:Message-Id:Cc:Subject:List-Id: List-Unsubscribe:List-Archive:List-Post:List-Help:List-Subscribe: MIME-Version:Content-Type:Content-Transfer-Encoding:Sender; b=ckau/FXuEf59fqPmDGLK2FFgs3Me0Mz9iG33eafSladRw9Fufn3qnqv+iJ2m+rfbt 1Z3ABY6t3+1BPnsaAJ7Q5mKqw/kVGOM7AyP8PA58BgQHY3ZKzf9SjwFKSm9GEVUYNv Um/PB13Wb4Y29q3cxJ0UwgTLtCq1eDYPi3gpFDzg=
X-Original-To: dnsext@ietfa.amsl.com
Delivered-To: dnsext@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 3CC7821F867A for <dnsext@ietfa.amsl.com>; Mon, 16 Jan 2012 14:57:17 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.481
X-Spam-Level:
X-Spam-Status: No, score=-2.481 tagged_above=-999 required=5 tests=[AWL=0.118, BAYES_00=-2.599]
Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id n+ZhbZxS8D3D for <dnsext@ietfa.amsl.com>; Mon, 16 Jan 2012 14:57:16 -0800 (PST)
Received: from mx.ams1.isc.org (mx.ams1.isc.org [IPv6:2001:500:60::65]) by ietfa.amsl.com (Postfix) with ESMTP id D21FA21F8605 for <dnsext@ietf.org>; Mon, 16 Jan 2012 14:57:15 -0800 (PST)
Received: from bikeshed.isc.org (bikeshed.isc.org [IPv6:2001:4f8:3:d::19]) (using TLSv1 with cipher DHE-RSA-CAMELLIA256-SHA (256/256 bits)) (Client CN "bikeshed.isc.org", Issuer "ISC CA" (verified OK)) by mx.ams1.isc.org (Postfix) with ESMTPS id 492135F98A2; Mon, 16 Jan 2012 22:56:53 +0000 (UTC) (envelope-from marka@isc.org)
Received: from drugs.dv.isc.org (unknown [IPv6:2001:470:1f00:820:7db4:152d:79c6:de25]) (using TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits)) (Client did not present a certificate) by bikeshed.isc.org (Postfix) with ESMTPSA id 46C2B216C6D; Mon, 16 Jan 2012 22:56:51 +0000 (UTC) (envelope-from marka@isc.org)
Received: from drugs.dv.isc.org (localhost [127.0.0.1]) by drugs.dv.isc.org (Postfix) with ESMTP id C09331B780C2; Tue, 17 Jan 2012 09:56:48 +1100 (EST)
To: Samuel Weiler <weiler@watson.org>
From: Mark Andrews <marka@isc.org>
References: <a06240801cabc9d0de24d@192.168.129.103> <alpine.BSF.2.00.1201122318080.86374@fledge.watson.org> <CACU5sDnPJxPqQJ455iDeyvLaABk0HUnvNh1aPeq21XQuevqKkg@mail.gmail.com> <20120113225013.642F21B13171@drugs.dv.isc.org> <4F13F208.8010908@nlnetlabs.nl> <4F14359F.8050206@nlnetlabs.nl> <alpine.BSF.2.00.1201161002280.10245@fledge.watson.org>
In-reply-to: Your message of "Mon, 16 Jan 2012 10:04:51 CDT." <alpine.BSF.2.00.1201161002280.10245@fledge.watson.org>
Date: Tue, 17 Jan 2012 09:56:48 +1100
Message-Id: <20120116225648.C09331B780C2@drugs.dv.isc.org>
Cc: dnsext@ietf.org
Subject: Re: [dnsext] Related to section 5.1 of dnssec-bis-updates (-14)
X-BeenThere: dnsext@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: DNS Extensions working group discussion list <dnsext.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dnsext>, <mailto:dnsext-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/dnsext>
List-Post: <mailto:dnsext@ietf.org>
List-Help: <mailto:dnsext-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dnsext>, <mailto:dnsext-request@ietf.org?subject=subscribe>
MIME-Version: 1.0
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: 7bit
Sender: dnsext-bounces@ietf.org
Errors-To: dnsext-bounces@ietf.org
In message <alpine.BSF.2.00.1201161002280.10245@fledge.watson.org>, Samuel Weil er writes: > Thank you for the history. Going forward, what's the best thing to do > in the interest of interoperability? > > It may be worth asking not only what signers do but also what existing > validators do. If we've only seen problems with this in the wild once > (perhaps?) then there may be an ugly but interoperable answer we can > document for the future. > > -- Sam If we emit downcased "Signer Name"s then it does not matter what the validator does. To the best of my knowledge no one uses domain name compression on these names so as long as the signer only uses and emits a downcased version of the name it will interoperate regardless of what the validator does. i.e. Build the RRSIG with a downcased signer name rather than downcasing signer name when adding it to the digest. If you are signing with "MiXeD.ExAmPlE" then the signer name in the RRSIG is "mixed.example". Unfortunately I missed removing the downcase step for RRSIGs when I did the type code roll fixes years ago. > On Mon, 16 Jan 2012, W.C.A. Wijngaards wrote: > > > -----BEGIN PGP SIGNED MESSAGE----- > > Hash: SHA1 > > > > Hi Sam, > > > > Just to clarify my previous mail: what we implement is RFC3755. This > > states no downcasing in the rdata of NSEC and RRSIG. > > > > To see how we came to this implementation I searched through mail from > > 2007. I found that the reason for this is that we first implemented > > RFC4034, but that typecodelist in 4034 contained errors (double HINFO, > > includes NSEC and RRSIG in a copy-paste-rename-mistake from RFC2535 or > > something like that). This brought to light differences in > > implementations from before RFC4034 and after RFC4034. Because of > > this we changed to implement RFC3755 and in dnssec-bis-updates-06 it > > is then listed this as something to fix in RFC4034, and it states the > > RFC3755 rules. This is there until -16 (last week) where it changes. > > > > Downcasing is not necessary in NSEC and RRSIG, downcase before > > signature verify and create is only needed in case > > dname-compression-and-decompression has removed upper-lowercase > > differences. The domain names in the rdata of NSEC and RRSIG are not > > compressed, and thus case is preserved. So, a downcase operation is > > not needed (in principle). > > > > So, currently we stay with RFC3755, because we want to implement > > standards RFCs, and not drafts if possible. RFC3755 is obsoleted by > > RFC4034, but as already discussed on namedroppers, its typecodelist > > was erroneous. And therefore we ignored that list in RFC4034. Thus > > our implementation matches the dnssec-bis-updates draft versions -06 > > to -15 in this respect. Regardless of the outcome of this > > interoperability problem, we will implement RFCs and thus the RFC that > > comes out of dnssec-bis-updates, whether that downcases both(4034), > > neither(3755) or something else(draft-16). > > > > Best regards, > > Wouter > > > > On 01/16/2012 10:46 AM, W.C.A. Wijngaards wrote: > >> Hi Mark, > >> > >> On 01/13/2012 11:50 PM, Mark Andrews wrote: > >>>>> I don't recall seeing much discussion of the below. =A0As > >>>>> doc editor, I w= > >>>> ould > >>>>> like to hear an extra voice or three chime in before I fix > >>>>> this. > >>>>> > >>>>> As I understand Ed's message, the (signer) name in an RRSIG > >>>>> does need to = > >>>> be > >>>>> downcased. =A0The next name in a NSEC RR does NOT need to be > >>>>> downcased. = > >>>> =A0Is > >>>>> that right? > >>>> +1. Sometime back there was an email thread (which I can't > >>>> locate now) where the signature verification failed if you > >>>> don't downcase for something in .US zone. > >> > >>> named downcases the RRSIG's Signer's Name named does not > >>> downcase NSEC's Next Domain Name. > >> > >> unbound does not downcase RRSIG signername and does not downcase > >> NSEC nextdomain name for DNSSEC validation. > >> > >> ldns rr canonicalisation does not downcase RRSIG signername and > >> NSEC nextdomain. So, this is for ldns-signzone and verify. > >> > >> opendnssec produces lowercase signernames in its RRSIGs, and thus > >> it does not matter if they are downcased or not (for the RRSIGs > >> produced by the opendnssec signer). > >> > >> It started with HINFO, where, today, the rdata is not downcased by > >> unbound, ldns. > >> > >> Best regards, Wouter > >> _______________________________________________ dnsext mailing > >> list dnsext@ietf.org https://www.ietf.org/mailman/listinfo/dnsext > > > > -----BEGIN PGP SIGNATURE----- > > Version: GnuPG v1.4.11 (GNU/Linux) > > Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/ > > > > iQIcBAEBAgAGBQJPFDWfAAoJEJ9vHC1+BF+NZL4P/Rrs1hl9q02hlU8c83M1BgxT > > v3KPpVQ2369LpY5Vr/0SOUu5W8l8J76pcpkkameKg4PKfW2nzrdUVKD7i/KBmC3h > > 9C9pDzLyamXofG7oxCFAFXOYYJkJ4tXjr31SHfhxsb0YxfvuZE80ZZiOk5+3IhJF > > kWQnUOoIMQMXttCLW6ecHk/i7JhE6gn/7+P8uw3ElunKXqZSleZ42cKIx5WHK+Wg > > 0VNOd3SctuHw41HrtN9O0na7HN/FQr38Gq3tE5+UtFxv1h7hLs+nH2X1Zk2gM9bx > > 5LXpOdMyvuDlHr7jvyPf4v6JSP2XhbRENe3DNonixK41TQ4laDlHbmbWsFQyjZYD > > +CN8vO+w4Mh0TeB6QLEfQAO922l4mR7ts8FwgDYCl0nejoNUU99bb1VVY/6Laa22 > > jd8CwcCYqI/pvxcuuTf/kaqOryizyJ5oBFgDSlaKr42AHqmG6vVtXZoamr1Zi248 > > UjHDe2bYnY+uf3OpfVvI3Smbs6vFoBY0Xkj4RMAlupPpNvEXeJwtx+k1TQ/E9f7n > > Yh/QMz32Q86TTXR33/9HDIJvF6e7b2WLMGkOUZVTMMzqI3EZiPg2mDbzAhcs1j1G > > tgIweyfpSwYWhykPIIYL0FHCxHsqF2dm59wFn2Bo0B9fdTdoVB0D2iW+9ctnrZbl > > g/mH7UFd4xsNImX2ZNEG > > =n3EK > > -----END PGP SIGNATURE----- > > _______________________________________________ > > dnsext mailing list > > dnsext@ietf.org > > https://www.ietf.org/mailman/listinfo/dnsext > > > _______________________________________________ > dnsext mailing list > dnsext@ietf.org > https://www.ietf.org/mailman/listinfo/dnsext -- Mark Andrews, ISC 1 Seymour St., Dundas Valley, NSW 2117, Australia PHONE: +61 2 9871 4742 INTERNET: marka@isc.org _______________________________________________ dnsext mailing list dnsext@ietf.org https://www.ietf.org/mailman/listinfo/dnsext
- Re: [dnsext] draft-mohan-dns-query-xml-00.txt Wilmer van der Gaast
- Re: [dnsext] draft-mohan-dns-query-xml-00.txt Paul Hoffman
- Re: [dnsext] draft-mohan-dns-query-xml-00.txt Nicholas Weaver
- Re: [dnsext] draft-mohan-dns-query-xml-00.txt Jakob Schlyter
- [dnsext] draft-mohan-dns-query-xml-00.txt Mohan Parthasarathy
- Re: [dnsext] draft-mohan-dns-query-xml-00.txt Paul Wouters
- Re: [dnsext] draft-mohan-dns-query-xml-00.txt Ted Hardie
- Re: [dnsext] draft-mohan-dns-query-xml-00.txt Mohan Parthasarathy
- Re: [dnsext] draft-mohan-dns-query-xml-00.txt Mohan Parthasarathy
- Re: [dnsext] draft-mohan-dns-query-xml-00.txt Mohan Parthasarathy
- Re: [dnsext] draft-mohan-dns-query-xml-00.txt Mohan Parthasarathy
- Re: [dnsext] draft-mohan-dns-query-xml-00.txt Wilmer van der Gaast
- Re: [dnsext] draft-mohan-dns-query-xml-00.txt Nicholas Weaver
- Re: [dnsext] draft-mohan-dns-query-xml-00.txt Aki Tuomi
- Re: [dnsext] draft-mohan-dns-query-xml-00.txt Tony Finch
- Re: [dnsext] draft-mohan-dns-query-xml-00.txt Olaf Kolkman
- Re: [dnsext] draft-mohan-dns-query-xml-00.txt Ted Hardie
- Re: [dnsext] draft-mohan-dns-query-xml-00.txt Mohan Parthasarathy
- Re: [dnsext] draft-mohan-dns-query-xml-00.txt Robert Edmonds
- Re: [dnsext] draft-mohan-dns-query-xml-00.txt Wessels, Duane
- Re: [dnsext] draft-mohan-dns-query-xml-00.txt Patrik Fältström
- Re: [dnsext] draft-mohan-dns-query-xml-00.txt Paul Vixie
- Re: [dnsext] draft-mohan-dns-query-xml-00.txt Colm MacCárthaigh
- Re: [dnsext] draft-mohan-dns-query-xml-00.txt Nicholas Weaver
- Re: [dnsext] draft-mohan-dns-query-xml-00.txt Colm MacCárthaigh
- Re: [dnsext] draft-mohan-dns-query-xml-00.txt Paul Hoffman
- Re: [dnsext] draft-mohan-dns-query-xml-00.txt Paul Wouters
- Re: [dnsext] draft-mohan-dns-query-xml-00.txt Paul Vixie
- Re: [dnsext] draft-mohan-dns-query-xml-00.txt Paul Vixie
- Re: [dnsext] draft-mohan-dns-query-xml-00.txt Nicholas Weaver
- Re: [dnsext] draft-mohan-dns-query-xml-00.txt Alex Bligh
- Re: [dnsext] draft-mohan-dns-query-xml-00.txt Nicholas Weaver
- Re: [dnsext] draft-mohan-dns-query-xml-00.txt David Conrad
- Re: [dnsext] draft-mohan-dns-query-xml-00.txt Masataka Ohta
- Re: [dnsext] draft-mohan-dns-query-xml-00.txt Masataka Ohta
- Re: [dnsext] draft-mohan-dns-query-xml-00.txt Nicholas Weaver
- Re: [dnsext] draft-mohan-dns-query-xml-00.txt Brian Dickson
- Re: [dnsext] draft-mohan-dns-query-xml-00.txt Masataka Ohta
- Re: [dnsext] draft-mohan-dns-query-xml-00.txt Nicholas Weaver
- Re: [dnsext] draft-mohan-dns-query-xml-00.txt Nicholas Weaver
- Re: [dnsext] draft-mohan-dns-query-xml-00.txt Masataka Ohta
- Re: [dnsext] draft-mohan-dns-query-xml-00.txt Tony Finch
- Re: [dnsext] draft-mohan-dns-query-xml-00.txt Paul Vixie
- Re: [dnsext] draft-mohan-dns-query-xml-00.txt Wessels, Duane
- Re: [dnsext] draft-mohan-dns-query-xml-00.txt Paul Vixie
- Re: [dnsext] draft-mohan-dns-query-xml-00.txt Paul Hoffman
- Re: [dnsext] draft-mohan-dns-query-xml-00.txt Ted Hardie
- Re: [dnsext] draft-mohan-dns-query-xml-00.txt Wessels, Duane
- Re: [dnsext] draft-mohan-dns-query-xml-00.txt Paul Vixie
- Re: [dnsext] draft-mohan-dns-query-xml-00.txt Alex Bligh
- Re: [dnsext] draft-mohan-dns-query-xml-00.txt Paul Vixie
- Re: [dnsext] draft-mohan-dns-query-xml-00.txt Mohan Parthasarathy
- Re: [dnsext] draft-mohan-dns-query-xml-00.txt Ted Hardie
- Re: [dnsext] draft-mohan-dns-query-xml-00.txt Masataka Ohta
- Re: [dnsext] draft-mohan-dns-query-xml-00.txt Mark Andrews
- Re: [dnsext] draft-mohan-dns-query-xml-00.txt Mohan Parthasarathy
- Re: [dnsext] draft-mohan-dns-query-xml-00.txt Mark Andrews
- Re: [dnsext] draft-mohan-dns-query-xml-00.txt Mohan
- Re: [dnsext] draft-mohan-dns-query-xml-00.txt Mark Andrews
- Re: [dnsext] draft-mohan-dns-query-xml-00.txt Mohan Parthasarathy
- Re: [dnsext] draft-mohan-dns-query-xml-00.txt Mark Andrews
- Re: [dnsext] draft-mohan-dns-query-xml-00.txt Tony Finch
- Re: [dnsext] draft-mohan-dns-query-xml-00.txt Alex Bligh
- Re: [dnsext] draft-mohan-dns-query-xml-00.txt Tony Finch
- Re: [dnsext] draft-mohan-dns-query-xml-00.txt Måns Nilsson
- Re: [dnsext] draft-mohan-dns-query-xml-00.txt Mark Andrews
- Re: [dnsext] draft-mohan-dns-query-xml-00.txt Tony Finch
- Re: [dnsext] draft-mohan-dns-query-xml-00.txt Mark Andrews
- Re: [dnsext] draft-mohan-dns-query-xml-00.txt Mohan Parthasarathy
- Re: [dnsext] draft-mohan-dns-query-xml-00.txt Michael Sheldon
- Re: [dnsext] draft-mohan-dns-query-xml-00.txt Paul Vixie
- Re: [dnsext] draft-mohan-dns-query-xml-00.txt Ray Bellis
- Re: [dnsext] draft-mohan-dns-query-xml-00.txt Brian Dickson
- Re: [dnsext] draft-mohan-dns-query-xml-00.txt Mark Andrews
- Re: [dnsext] draft-mohan-dns-query-xml-00.txt Masataka Ohta
- Re: [dnsext] draft-mohan-dns-query-xml-00.txt Masataka Ohta
- Re: [dnsext] draft-mohan-dns-query-xml-00.txt David Conrad
- Re: [dnsext] draft-mohan-dns-query-xml-00.txt bmanning
- Re: [dnsext] draft-mohan-dns-query-xml-00.txt Michael Sheldon
- [dnsext] Related to section 5.1 of dnssec-bis-upd… Edward Lewis
- Re: [dnsext] Related to section 5.1 of dnssec-bis… Samuel Weiler
- Re: [dnsext] Related to section 5.1 of dnssec-bis… Olafur Gudmundsson
- Re: [dnsext] Related to section 5.1 of dnssec-bis… Mohan Parthasarathy
- Re: [dnsext] Related to section 5.1 of dnssec-bis… Mark Andrews
- Re: [dnsext] Related to section 5.1 of dnssec-bis… W.C.A. Wijngaards
- Re: [dnsext] Related to section 5.1 of dnssec-bis… W.C.A. Wijngaards
- Re: [dnsext] Related to section 5.1 of dnssec-bis… Samuel Weiler
- Re: [dnsext] Related to section 5.1 of dnssec-bis… Mark Andrews
- Re: [dnsext] Related to section 5.1 of dnssec-bis… Mark Andrews
- Re: [dnsext] Related to section 5.1 of dnssec-bis… W.C.A. Wijngaards
- Re: [dnsext] Related to section 5.1 of dnssec-bis… Edward Lewis
- Re: [dnsext] Related to section 5.1 of dnssec-bis… Mark Andrews