Re: [dnsext] downcasing of names in IPSECKEY and HIP?
Mark Andrews <marka@isc.org> Thu, 23 February 2012 22:18 UTC
Return-Path: <dnsext-bounces@ietf.org>
X-Original-To: namedroppers-archive-gleetwall6@lists.ietf.org
Delivered-To: ietfarch-namedroppers-archive-gleetwall6@ietfa.amsl.com
Received: from ietfa.amsl.com (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 6C48C21F87E2; Thu, 23 Feb 2012 14:18:41 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=ietf.org; s=ietf1; t=1330035521; bh=aXUQVpTqO1RGCXvosWhAnjIMYaXwKOUcq0+aK8sWrRE=; h=To:From:References:In-reply-to:Date:Message-Id:Cc:Subject:List-Id: List-Unsubscribe:List-Archive:List-Post:List-Help:List-Subscribe: MIME-Version:Content-Type:Content-Transfer-Encoding:Sender; b=me3rlr0dnLesjvL1kXBzp9OC5yOrufkXjHS9h+L3ThgEB7k95r44lx+eQRKKs1j8h 8+2mv+m8Fy12N/CWzVAmuD4em59qhoHmyW/wqfWG1r+9xRscBbRkd2t2dAkXQdixng qwoprMUc1AI6JsqGzT9blfj2Chv3RE1yBSD7/GqI=
X-Original-To: dnsext@ietfa.amsl.com
Delivered-To: dnsext@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id F10A621F87DC for <dnsext@ietfa.amsl.com>; Thu, 23 Feb 2012 14:18:38 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.432
X-Spam-Level:
X-Spam-Status: No, score=-2.432 tagged_above=-999 required=5 tests=[AWL=0.167, BAYES_00=-2.599]
Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id AB4eLjZwxyzC for <dnsext@ietfa.amsl.com>; Thu, 23 Feb 2012 14:18:38 -0800 (PST)
Received: from mx.ams1.isc.org (mx.ams1.isc.org [IPv6:2001:500:60::65]) by ietfa.amsl.com (Postfix) with ESMTP id B413C21E801A for <dnsext@ietf.org>; Thu, 23 Feb 2012 14:18:37 -0800 (PST)
Received: from bikeshed.isc.org (bikeshed.isc.org [IPv6:2001:4f8:3:d::19]) (using TLSv1 with cipher DHE-RSA-CAMELLIA256-SHA (256/256 bits)) (Client CN "mail.isc.org", Issuer "RapidSSL CA" (not verified)) by mx.ams1.isc.org (Postfix) with ESMTPS id 0E57F5F98B6; Thu, 23 Feb 2012 22:18:21 +0000 (UTC) (envelope-from marka@isc.org)
Received: from drugs.dv.isc.org (unknown [IPv6:2001:470:1f00:820:968:e107:e473:6b83]) (using TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits)) (Client did not present a certificate) by bikeshed.isc.org (Postfix) with ESMTPSA id 84606216C3B; Thu, 23 Feb 2012 22:18:19 +0000 (UTC) (envelope-from marka@isc.org)
Received: from drugs.dv.isc.org (localhost [127.0.0.1]) by drugs.dv.isc.org (Postfix) with ESMTP id B00C61DC3C81; Fri, 24 Feb 2012 09:18:16 +1100 (EST)
To: Edward Lewis <Ed.Lewis@neustar.biz>
From: Mark Andrews <marka@isc.org>
References: <7D06DD86-7FF8-467E-B320-32B525C72B9C@netherlabs.nl> <20120223111847.DFDA81DC1B7B@drugs.dv.isc.org> <a06240800cb6beed8cba6@[10.31.203.212]>
In-reply-to: Your message of "Thu, 23 Feb 2012 08:53:42 CDT." <a06240800cb6beed8cba6@[10.31.203.212]>
Date: Fri, 24 Feb 2012 09:18:16 +1100
Message-Id: <20120223221816.B00C61DC3C81@drugs.dv.isc.org>
Cc: dnsext@ietf.org
Subject: Re: [dnsext] downcasing of names in IPSECKEY and HIP?
X-BeenThere: dnsext@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: DNS Extensions working group discussion list <dnsext.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dnsext>, <mailto:dnsext-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/dnsext>
List-Post: <mailto:dnsext@ietf.org>
List-Help: <mailto:dnsext-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dnsext>, <mailto:dnsext-request@ietf.org?subject=subscribe>
MIME-Version: 1.0
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: 7bit
Sender: dnsext-bounces@ietf.org
Errors-To: dnsext-bounces@ietf.org
In message <a06240800cb6beed8cba6@[10.31.203.212]>, Edward Lewis writes: > At 22:18 +1100 2/23/12, Mark Andrews wrote: > > Peter van Dijk writes: > >> Dear colleagues, > >> > >> working from dnssec-bis-updates-16 section 5.1, and 6.2 of 4034, I > >>gather tha > >> t the rule for downcasing names in RDATA is not simply "downcase > >>everything t > >> hat is a name", but that the RRtypes listed have been selected for a reas > on. > ... > >> My apologies if answers to these questions are in the archives; I > >>did a curso > >> ry search but did not find anything. > > > >The answers are in the RFCs. http://www.ietf.org/rfc/rfc3597.txt > > Except that the RFCs aren't clear and contradict themselves. I'm > responding because I spent a non-trivial amount of time on this very > topic sometime last year. > > The general rule is supposed to be: if the type is compressible any > domain name in the RDATA has to be downcased when doing DNSSEC > operations (signing, validating). That is because the case of the > domain name might change due to the order of the response packet and > the extent to which the sender tries to maintain case. > > But, mistakes were made. Compression was defined early. A problem > arose when new types, those in 1183 and later, were defined and > implementers assumed that these new types should be compressed. The > reason they shouldn't was related to backwards compatibility, but > that wasn't seen as a crucial design goal at the time. Because some > implementations of types defined in this "era" compressed the names, > today we say "be prepared to see these compressed but don't compress > them anymore." Hence, down casing is needed. To compress of not is more a matter of signaling understanding of records internals. No such signaling has been defined so we don't compress as we don't now if the receiver can expand the compression. We could add a EDNS option with a bit map similar to NSEC's bitmap that signaled understanding of the type's internals. This would allow us to compress any type identified by the bit map. We would still need to do lossless compression rather than the lossy compression currently used so that DNSSEC signatures do not break. New AXFR implementations are supposed to use lossless compression, rather than lossy compression, so that the case of compressed rdata is preserved. This is done by using compression pointers that point to label sequences that have the correct case. Case preservation was one of the design goals of the DNS, it just not been well implemented. RFC 1035, 2.3.3. Character Case For all parts of the DNS that are part of the official protocol, all comparisons between character strings (e.g., labels, domain names, etc.) are done in a case-insensitive manner. At present, this rule is in force throughout the domain system without exception. However, future additions beyond current usage may need to use the full binary octet capabilities in names, so attempts to store domain names in 7-bit ASCII or use of special bytes to terminate labels, etc., should be avoided. > And then there's the most frustrating case of the RRSIG. Although it > was defined after the new enlightenment that new types should not be > compressed, the leading implementation continued to down case the > type by mistake. Kind of illustrating that code beats specification, > other implementations followed the leading implementation and not the > specification. To this day, if you don't down case RRSIG there will > likely be interoperability problems with your implementation. > > From my spreadsheet, the following type codes are to be down cased for DNSSE > C: > > 2-9,12,14,15,17,18,21,24,26,30,33,35,36,38,39,46. > (Some of those are obsolete.) > > The types that are to be compressed on sending and might (will) be on > receiving: > > 2-9,12,14,15. > > These are in the "well-known" range, those defined in STD 13 documents. > > Types not to be compressed when sending but might be on receiving: > > 17,18,21,24,26,30,33,35. > > The other types, 36, 38, 39, 46 are KX, A6, DNAME, and RRSIG. Except > for RRSIG, these were simply erroneously defined as needing to be > down cased from the start. > > As far as I can tell... > -- > -=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=- > Edward Lewis > NeuStar You can leave a voice message at +1-571-434-5468 > > 2012...time to reuse those 1984 calendars! > _______________________________________________ > dnsext mailing list > dnsext@ietf.org > https://www.ietf.org/mailman/listinfo/dnsext -- Mark Andrews, ISC 1 Seymour St., Dundas Valley, NSW 2117, Australia PHONE: +61 2 9871 4742 INTERNET: marka@isc.org _______________________________________________ dnsext mailing list dnsext@ietf.org https://www.ietf.org/mailman/listinfo/dnsext
- [dnsext] downcasing of names in IPSECKEY and HIP? Peter van Dijk
- Re: [dnsext] downcasing of names in IPSECKEY and … Mark Andrews
- Re: [dnsext] downcasing of names in IPSECKEY and … Edward Lewis
- Re: [dnsext] downcasing of names in IPSECKEY and … Mark Andrews