Re: [dnsext] downcasing of names in IPSECKEY and HIP?
Edward Lewis <Ed.Lewis@neustar.biz> Thu, 23 February 2012 13:53 UTC
Return-Path: <dnsext-bounces@ietf.org>
X-Original-To: namedroppers-archive-gleetwall6@lists.ietf.org
Delivered-To: ietfarch-namedroppers-archive-gleetwall6@ietfa.amsl.com
Received: from ietfa.amsl.com (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id A17AA21F87FB; Thu, 23 Feb 2012 05:53:51 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=ietf.org; s=ietf1; t=1330005231; bh=cXCG1yGLv9dtdTlXji5iKV2lZPsoa/EEELNt8n4XIZk=; h=Mime-Version:Message-Id:In-Reply-To:References:Date:To:From:Cc: Subject:List-Id:List-Unsubscribe:List-Archive:List-Post:List-Help: List-Subscribe:Content-Transfer-Encoding:Content-Type:Sender; b=YGuaux2NcU+JrojcCR0L9hMxosgEQXqf53IwrZeHKq+Hx2zbnHPgAIgZECgLGaSAa H8ewlARYCKhzLM+T8RqF4IDn3IPzXjJEe8VPnP7QHBO3EgwYmjqENIQ8qD+I5sVPQ6 CkM/R9zS3wysuNLBjkvbybN5DpWnrjfLxt74/taA=
X-Original-To: dnsext@ietfa.amsl.com
Delivered-To: dnsext@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id A517521F87FB for <dnsext@ietfa.amsl.com>; Thu, 23 Feb 2012 05:53:49 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -106.278
X-Spam-Level:
X-Spam-Status: No, score=-106.278 tagged_above=-999 required=5 tests=[AWL=0.321, BAYES_00=-2.599, RCVD_IN_DNSWL_MED=-4, USER_IN_WHITELIST=-100]
Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id FwaJo0L41T3R for <dnsext@ietfa.amsl.com>; Thu, 23 Feb 2012 05:53:49 -0800 (PST)
Received: from stora.ogud.com (stora.ogud.com [66.92.146.20]) by ietfa.amsl.com (Postfix) with ESMTP id 9696E21F87F9 for <dnsext@ietf.org>; Thu, 23 Feb 2012 05:53:48 -0800 (PST)
Received: from Work-Laptop-2.local (nyttbox.md.ogud.com [10.20.30.4]) by stora.ogud.com (8.14.4/8.14.4) with ESMTP id q1NDrjBk022692; Thu, 23 Feb 2012 08:53:45 -0500 (EST) (envelope-from Ed.Lewis@neustar.biz)
Received: from [10.31.203.212] by Work-Laptop-2.local (PGP Universal service); Thu, 23 Feb 2012 08:53:46 -0500
X-PGP-Universal: processed; by Work-Laptop-2.local on Thu, 23 Feb 2012 08:53:46 -0500
Mime-Version: 1.0
Message-Id: <a06240800cb6beed8cba6@[10.31.203.212]>
In-Reply-To: <20120223111847.DFDA81DC1B7B@drugs.dv.isc.org>
References: <7D06DD86-7FF8-467E-B320-32B525C72B9C@netherlabs.nl> <20120223111847.DFDA81DC1B7B@drugs.dv.isc.org>
Date: Thu, 23 Feb 2012 08:53:42 -0500
To: dnsext@ietf.org
From: Edward Lewis <Ed.Lewis@neustar.biz>
X-Scanned-By: MIMEDefang 2.72 on 10.20.30.4
Cc: ed.lewis@neustar.biz
Subject: Re: [dnsext] downcasing of names in IPSECKEY and HIP?
X-BeenThere: dnsext@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: DNS Extensions working group discussion list <dnsext.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dnsext>, <mailto:dnsext-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/dnsext>
List-Post: <mailto:dnsext@ietf.org>
List-Help: <mailto:dnsext-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dnsext>, <mailto:dnsext-request@ietf.org?subject=subscribe>
Content-Transfer-Encoding: 7bit
Content-Type: text/plain; charset="us-ascii"; Format="flowed"
Sender: dnsext-bounces@ietf.org
Errors-To: dnsext-bounces@ietf.org
At 22:18 +1100 2/23/12, Mark Andrews wrote: > Peter van Dijk writes: >> Dear colleagues, >> >> working from dnssec-bis-updates-16 section 5.1, and 6.2 of 4034, I >>gather tha >> t the rule for downcasing names in RDATA is not simply "downcase >>everything t >> hat is a name", but that the RRtypes listed have been selected for a reason. ... >> My apologies if answers to these questions are in the archives; I >>did a curso >> ry search but did not find anything. > >The answers are in the RFCs. http://www.ietf.org/rfc/rfc3597.txt Except that the RFCs aren't clear and contradict themselves. I'm responding because I spent a non-trivial amount of time on this very topic sometime last year. The general rule is supposed to be: if the type is compressible any domain name in the RDATA has to be downcased when doing DNSSEC operations (signing, validating). That is because the case of the domain name might change due to the order of the response packet and the extent to which the sender tries to maintain case. But, mistakes were made. Compression was defined early. A problem arose when new types, those in 1183 and later, were defined and implementers assumed that these new types should be compressed. The reason they shouldn't was related to backwards compatibility, but that wasn't seen as a crucial design goal at the time. Because some implementations of types defined in this "era" compressed the names, today we say "be prepared to see these compressed but don't compress them anymore." Hence, down casing is needed. And then there's the most frustrating case of the RRSIG. Although it was defined after the new enlightenment that new types should not be compressed, the leading implementation continued to down case the type by mistake. Kind of illustrating that code beats specification, other implementations followed the leading implementation and not the specification. To this day, if you don't down case RRSIG there will likely be interoperability problems with your implementation. From my spreadsheet, the following type codes are to be down cased for DNSSEC: 2-9,12,14,15,17,18,21,24,26,30,33,35,36,38,39,46. (Some of those are obsolete.) The types that are to be compressed on sending and might (will) be on receiving: 2-9,12,14,15. These are in the "well-known" range, those defined in STD 13 documents. Types not to be compressed when sending but might be on receiving: 17,18,21,24,26,30,33,35. The other types, 36, 38, 39, 46 are KX, A6, DNAME, and RRSIG. Except for RRSIG, these were simply erroneously defined as needing to be down cased from the start. As far as I can tell... -- -=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=- Edward Lewis NeuStar You can leave a voice message at +1-571-434-5468 2012...time to reuse those 1984 calendars! _______________________________________________ dnsext mailing list dnsext@ietf.org https://www.ietf.org/mailman/listinfo/dnsext
- [dnsext] downcasing of names in IPSECKEY and HIP? Peter van Dijk
- Re: [dnsext] downcasing of names in IPSECKEY and … Mark Andrews
- Re: [dnsext] downcasing of names in IPSECKEY and … Edward Lewis
- Re: [dnsext] downcasing of names in IPSECKEY and … Mark Andrews