IETF Logo Mail Archive

Re: [dnsext] Related to section 5.1 of dnssec-bis-updates (-14)

"W.C.A. Wijngaards" <wouter@nlnetlabs.nl> Tue, 17 January 2012 09:04 UTC

Return-Path: <dnsext-bounces@ietf.org>
X-Original-To: namedroppers-archive-gleetwall6@lists.ietf.org
Delivered-To: ietfarch-namedroppers-archive-gleetwall6@ietfa.amsl.com
Received: from ietfa.amsl.com (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 748F721F85D5; Tue, 17 Jan 2012 01:04:01 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=ietf.org; s=ietf1; t=1326791041; bh=BAsVOJKNYxGZQyU913eNJjoOuSv5rcy6Owc6bHO8Grc=; h=Message-ID:Date:From:MIME-Version:To:References:In-Reply-To:Cc: Subject:List-Id:List-Unsubscribe:List-Archive:List-Post:List-Help: List-Subscribe:Content-Type:Content-Transfer-Encoding:Sender; b=ETCr59WQFyC+cMfvv0Lq9okgiI1CCWzufbn7FUj4O9vUIKGrU8Qf7zjeje9P1pDfP WHvg3ItwPVFmrAs2ahxn2gAKe2v6rbsUjPfIXbQnrqxhC/ZwnWcUtle2UUxEwzO2Hh yqFtNqMi/58Fu12t7FQ/Yx/EN43hUsfTMEHbzCQQ=
X-Original-To: dnsext@ietfa.amsl.com
Delivered-To: dnsext@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 5021C21F85D5 for <dnsext@ietfa.amsl.com>; Tue, 17 Jan 2012 01:04:00 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.6
X-Spam-Level:
X-Spam-Status: No, score=-2.6 tagged_above=-999 required=5 tests=[BAYES_00=-2.599, NO_RELAYS=-0.001]
Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id zIpnj-nxWE+w for <dnsext@ietfa.amsl.com>; Tue, 17 Jan 2012 01:03:54 -0800 (PST)
Received: from open.nlnetlabs.nl (open.nlnetlabs.nl [IPv6:2001:7b8:206:1::1]) by ietfa.amsl.com (Postfix) with ESMTP id 7FA0621F85C0 for <dnsext@ietf.org>; Tue, 17 Jan 2012 01:03:54 -0800 (PST)
Received: from axiom.nlnetlabs.nl (axiom.nlnetlabs.nl [IPv6:2001:7b8:206:1:222:4dff:fe55:4d46]) (authenticated bits=0) by open.nlnetlabs.nl (8.14.4/8.14.4) with ESMTP id q0H93pPt018652 (version=TLSv1/SSLv3 cipher=DHE-RSA-CAMELLIA256-SHA bits=256 verify=NO); Tue, 17 Jan 2012 10:03:52 +0100 (CET) (envelope-from wouter@nlnetlabs.nl)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=nlnetlabs.nl; s=default; t=1326791033; bh=iA4K/tq01wiTU7ondxnXwjtkfsmR/XRRBdNUOWgQBR4=; h=Message-ID:Date:From:MIME-Version:To:CC:Subject:References: In-Reply-To:Content-Type:Content-Transfer-Encoding; b=VhPfgQJNIzK7xK9xoDzai/9zsAspo4G02FyY9h7S8D4fBzHj3hJn3nRtl+jwMFpyv 0pMmOB/LZU+k+0hoBs35Bd7oIRz9dkBn6rD/zVI9dTLzceixUgJYepzmA3Xi4EGkCu 2VWy0mzfpWKzJaBIBy2AsFryua9nms7yeMDQTwjY=
Message-ID: <4F153977.8080906@nlnetlabs.nl>
Date: Tue, 17 Jan 2012 10:03:51 +0100
From: "W.C.A. Wijngaards" <wouter@nlnetlabs.nl>
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:9.0) Gecko/20111222 Thunderbird/9.0
MIME-Version: 1.0
To: Mark Andrews <marka@isc.org>
References: <a06240801cabc9d0de24d@192.168.129.103> <alpine.BSF.2.00.1201122318080.86374@fledge.watson.org> <CACU5sDnPJxPqQJ455iDeyvLaABk0HUnvNh1aPeq21XQuevqKkg@mail.gmail.com> <20120113225013.642F21B13171@drugs.dv.isc.org> <4F13F208.8010908@nlnetlabs.nl> <20120117040618.CB9B01B7B433@drugs.dv.isc.org>
In-Reply-To: <20120117040618.CB9B01B7B433@drugs.dv.isc.org>
X-Enigmail-Version: 1.3.4
X-Greylist: Sender succeeded SMTP AUTH, not delayed by milter-greylist-4.2.7 (open.nlnetlabs.nl [IPv6:2001:7b8:206:1::53]); Tue, 17 Jan 2012 10:03:52 +0100 (CET)
Cc: dnsext@ietf.org
Subject: Re: [dnsext] Related to section 5.1 of dnssec-bis-updates (-14)
X-BeenThere: dnsext@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: DNS Extensions working group discussion list <dnsext.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dnsext>, <mailto:dnsext-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/dnsext>
List-Post: <mailto:dnsext@ietf.org>
List-Help: <mailto:dnsext-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dnsext>, <mailto:dnsext-request@ietf.org?subject=subscribe>
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: 7bit
Sender: dnsext-bounces@ietf.org
Errors-To: dnsext-bounces@ietf.org

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Hi Mark,

On 01/17/2012 05:06 AM, Mark Andrews wrote:
>>> named downcases the RRSIG's Signer's Name named does not
>>> downcase NSEC's Next Domain Name.
>> 
>> unbound does not downcase RRSIG signername and does not downcase
>> NSEC nextdomain name for DNSSEC validation.
> 
> Then how does it validate .US, .CO and .BIZ as the signer in the
> RRSIG is in upper case?  If I disable down casing I get validation
> failures.

I was wrong!  Looked into the wrong code (there is a (mostly harmless)
bug).  Unbound downcases the RRSIG rdata.  Unbound does not downcase
the NSEC rdata.

So, the deployed Unbound implements -16, and is compatible with BIND.
 Given this is the deployed code, the other arguments are perhaps moot.

Hence that US, CO and BIZ verify.  Thanks for that test.

> It would be easy enough to have the validation routines try "as
> is" then "lowercase" for backwards compatibility with the
> expectation that we can look to removing backwards compatibility
> hacks Jan 1, 2020.

My apologies for wrong information - unbound contains a bug on this
topic - but unbound indeed downcases the RRSIG signer name.  Hence
very strong workarounds are not necessary.

> Similarly we would lowercase the signer when generating the RRSIG
> and stop doing that around 2020.  That's 8 years to remove the old
> validators.

lowercase the signer when generating the RRSIG is a bit on the strict
generation of data perhaps.  Otherwise US. seems to work in practice.

So, in this situation I would recommend keeping -16 as is, and not
changing the situation because of deployed code and signed zones (US,
CO, BIZ).

Best regards,
   Wouter
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.11 (GNU/Linux)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/

iQIcBAEBAgAGBQJPFTl3AAoJEJ9vHC1+BF+NVZAQAJ0rVoG3RIpT6HCFOCw1Humh
ALOb5eGRAgGzTJw4p62/oZfKcM5Qm+gm4Y4y+X9AeP/N7yinmTtmmhXCoMLTGiN7
jV0cbK7/W1ZMKiEiRTFdne33SCufIz/madkM3S8/X8dX9zQ39qMfTlj63EUJXUah
dMCKEG00QwKmu6KQbaifsYARzArJpo/8Ia1dVlcuPRUqx2p6xkjJ3GHSSahPREs2
6E/WzdzXviws+EOcswdbweROAL1OS3BnD/RdNyfFIFbwKu6SRE4MMi/4HwZJ0H55
PfmQCa05enmV700tnN258t3RBKpLjroApzF12PBMM5g2HDm9Xdo+2QYqc909iPle
GfEEM1w3Xbt+eH01kyij4GhZOejmq6lvvED25a8dcdt6ECvfCmU06chrX/RvpKhu
UYluYF62URJaxjxIOz2gAqK9nbG9n0rfQ+DMJedGvqIIbmm87RyFKC1WM4dTBQ4/
XQJ9y2lVaIDtZyuQRREtUCrMI4RUOhuce0LEBfdcKskfzvNWMCEM2NturbiaPVBy
YlaEWa7krgJeEJ3aYobv4gBAJ/+nv+IV02e/nH2KSjruTrts2h327XRKqlE7IG/P
8D3mGJLUwQCjcxcJ1KmTFi1rSIMsC+EXW1vRSZfqroyqU9qso48Ujf3pZnqlt+Ts
MaQTmg2JYRo0QuZ4R49U
=at3P
-----END PGP SIGNATURE-----
_______________________________________________
dnsext mailing list
dnsext@ietf.org
https://www.ietf.org/mailman/listinfo/dnsext

v2.23.0 | Report a Bug | By Email