IETF Logo Mail Archive

Re: [dnsext] Related to section 5.1 of dnssec-bis-updates (-14)

Mark Andrews <marka@isc.org> Tue, 17 January 2012 04:06 UTC

Return-Path: <dnsext-bounces@ietf.org>
X-Original-To: namedroppers-archive-gleetwall6@lists.ietf.org
Delivered-To: ietfarch-namedroppers-archive-gleetwall6@ietfa.amsl.com
Received: from ietfa.amsl.com (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id A18081F0C38; Mon, 16 Jan 2012 20:06:43 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=ietf.org; s=ietf1; t=1326773203; bh=XFMF5E4WXg+yuG7y6+RcyUkf5R3ZOOenlmIyvE8wWKE=; h=To:From:References:In-reply-to:Date:Message-Id:Cc:Subject:List-Id: List-Unsubscribe:List-Archive:List-Post:List-Help:List-Subscribe: MIME-Version:Content-Type:Content-Transfer-Encoding:Sender; b=B4rmjNWWoRL254BIadRGYSnoNr9ZDhFyzvCPGBdsdz/DJg4KizMxuwUZeh3bVGkLz ObyWaCkV6z4uHkgbWK4N+7PCvJ9qYIw+s0pLL1MklHLR9gkGf9tX+Lu72c0c7ggUDo DAJriRhLSpQI1thKK5UIhxn6wfNQtfAS7tnM/6x0=
X-Original-To: dnsext@ietfa.amsl.com
Delivered-To: dnsext@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 7D09E1F0C38 for <dnsext@ietfa.amsl.com>; Mon, 16 Jan 2012 20:06:41 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.505
X-Spam-Level:
X-Spam-Status: No, score=-2.505 tagged_above=-999 required=5 tests=[AWL=0.094, BAYES_00=-2.599]
Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 5fmGV5bApuAd for <dnsext@ietfa.amsl.com>; Mon, 16 Jan 2012 20:06:41 -0800 (PST)
Received: from mx.pao1.isc.org (mx.pao1.isc.org [IPv6:2001:4f8:0:2::2b]) by ietfa.amsl.com (Postfix) with ESMTP id A4D321F0C35 for <dnsext@ietf.org>; Mon, 16 Jan 2012 20:06:40 -0800 (PST)
Received: from bikeshed.isc.org (bikeshed.isc.org [IPv6:2001:4f8:3:d::19]) (using TLSv1 with cipher DHE-RSA-CAMELLIA256-SHA (256/256 bits)) (Client CN "bikeshed.isc.org", Issuer "ISC CA" (verified OK)) by mx.pao1.isc.org (Postfix) with ESMTPS id 83378C9463; Tue, 17 Jan 2012 04:06:24 +0000 (UTC) (envelope-from marka@isc.org)
Received: from drugs.dv.isc.org (unknown [IPv6:2001:470:1f00:820:7db4:152d:79c6:de25]) (using TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits)) (Client did not present a certificate) by bikeshed.isc.org (Postfix) with ESMTPSA id 3EA00216C6A; Tue, 17 Jan 2012 04:06:24 +0000 (UTC) (envelope-from marka@isc.org)
Received: from drugs.dv.isc.org (localhost [127.0.0.1]) by drugs.dv.isc.org (Postfix) with ESMTP id CB9B01B7B433; Tue, 17 Jan 2012 15:06:18 +1100 (EST)
To: "W.C.A. Wijngaards" <wouter@nlnetlabs.nl>
From: Mark Andrews <marka@isc.org>
References: <a06240801cabc9d0de24d@192.168.129.103> <alpine.BSF.2.00.1201122318080.86374@fledge.watson.org> <CACU5sDnPJxPqQJ455iDeyvLaABk0HUnvNh1aPeq21XQuevqKkg@mail.gmail.com> <20120113225013.642F21B13171@drugs.dv.isc.org> <4F13F208.8010908@nlnetlabs.nl>
In-reply-to: Your message of "Mon, 16 Jan 2012 10:46:48 BST." <4F13F208.8010908@nlnetlabs.nl>
Date: Tue, 17 Jan 2012 15:06:18 +1100
Message-Id: <20120117040618.CB9B01B7B433@drugs.dv.isc.org>
Cc: dnsext@ietf.org
Subject: Re: [dnsext] Related to section 5.1 of dnssec-bis-updates (-14)
X-BeenThere: dnsext@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: DNS Extensions working group discussion list <dnsext.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dnsext>, <mailto:dnsext-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/dnsext>
List-Post: <mailto:dnsext@ietf.org>
List-Help: <mailto:dnsext-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dnsext>, <mailto:dnsext-request@ietf.org?subject=subscribe>
MIME-Version: 1.0
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: 7bit
Sender: dnsext-bounces@ietf.org
Errors-To: dnsext-bounces@ietf.org

In message <4F13F208.8010908@nlnetlabs.nl>, "W.C.A. Wijngaards" writes:
> Hi Mark,
> 
> On 01/13/2012 11:50 PM, Mark Andrews wrote:
> >>> I don't recall seeing much discussion of the below. =A0As doc
> >>> editor, I would
> >>> like to hear an extra voice or three chime in before I fix
> >>> this.
> >>> 
> >>> As I understand Ed's message, the (signer) name in an RRSIG
> >>> does need to be downcased. 
> >>> The next name in a NSEC RR does NOT need to be downcased. Is
> >>> that right?
> >> +1. Sometime back there was an email thread (which I can't locate
> >> now) where the signature verification failed if you don't
> >> downcase for something in .US zone.
> > 
> > named downcases the RRSIG's Signer's Name named does not downcase
> > NSEC's Next Domain Name.
> 
> unbound does not downcase RRSIG signername and does not downcase NSEC
> nextdomain name for DNSSEC validation.

Then how does it validate .US, .CO and .BIZ as the signer in the RRSIG
is in upper case?  If I disable down casing I get validation failures.

17-Jan-2012 14:48:21.099 validating @0x101101c00: US DNSKEY: no valid signature found
17-Jan-2012 14:48:22.062 error (insecurity proof failed) resolving 'US/DNSKEY/IN': 156.154.127.70#53
17-Jan-2012 14:48:22.430 validating @0x101101c00: US DNSKEY: no valid signature found
17-Jan-2012 14:48:22.430 error (no valid RRSIG) resolving 'US/DNSKEY/IN': 156.154.126.70#53
17-Jan-2012 14:48:22.735 validating @0x101101c00: US DNSKEY: no valid signature found
17-Jan-2012 14:48:22.735 error (no valid RRSIG) resolving 'US/DNSKEY/IN': 209.173.58.70#53
17-Jan-2012 14:48:23.963 validating @0x101112e00: US DNSKEY: no valid signature found
17-Jan-2012 14:48:23.963 error (no valid RRSIG) resolving 'US/DNSKEY/IN': 156.154.125.70#53
17-Jan-2012 14:48:24.273 validating @0x101112e00: US DNSKEY: no valid signature found
17-Jan-2012 14:48:24.273 error (no valid RRSIG) resolving 'US/DNSKEY/IN': 156.154.124.70#53
17-Jan-2012 14:48:25.502 validating @0x101100c00: US DNSKEY: no valid signature found
17-Jan-2012 14:48:25.502 error (no valid RRSIG) resolving 'US/DNSKEY/IN': 156.154.128.70#53

> ldns rr canonicalisation does not downcase RRSIG signername and NSEC
> nextdomain.  So, this is for ldns-signzone and verify.
> 
> opendnssec produces lowercase signernames in its RRSIGs, and thus it
> does not matter if they are downcased or not (for the RRSIGs produced
> by the opendnssec signer).
> 
> It started with HINFO, where, today, the rdata is not downcased by
> unbound, ldns.
> 
> Best regards,
>    Wouter

It would be easy enough to have the validation routines try "as is"
then "lowercase" for backwards compatibility with the expectation
that we can look to removing backwards compatibility hacks Jan 1,
2020.  Similarly we would lowercase the signer when generating the
RRSIG and stop doing that around 2020.  That's 8 years to remove
the old validators.

Mark
-- 
Mark Andrews, ISC
1 Seymour St., Dundas Valley, NSW 2117, Australia
PHONE: +61 2 9871 4742                 INTERNET: marka@isc.org
_______________________________________________
dnsext mailing list
dnsext@ietf.org
https://www.ietf.org/mailman/listinfo/dnsext

v2.23.0 | Report a Bug | By Email