[ldns-users] canonical signer name in RRSIG during verification

Peter van Dijk peter.van.dijk at netherlabs.nl
Thu Feb 23 12:44:14 UTC 2012


in the 1.6.12 Changelog I see:
        * Canonicalize the signers name rdata field in RRSIGs when signing

It appears the same change has not been applied to verification. This patch fixes validation of results with mixed case signers for me:
--- a/host2wire.c
+++ b/host2wire.c
@@ -205,7 +205,7 @@ ldns_rrsig2buffer_wire(ldns_buffer *buffer, const ldns_rr *rr)
        /* Convert all the rdfs, except the actual signature data
         * rdf number 8  - the last, hence: -1 */
        for (i = 0; i < ldns_rr_rd_count(rr) - 1; i++) {
-               (void) ldns_rdf2buffer_wire(buffer, ldns_rr_rdf(rr, i));
+               (void) ldns_rdf2buffer_wire_canonical(buffer, ldns_rr_rdf(rr, i));
        return ldns_buffer_status(buffer);

I also suspect that this (untested) patch would make ldns more in line with dnssec-bis-16:
--- a/host2wire.c
+++ b/host2wire.c
@@ -113,6 +113,7 @@ ldns_rr2buffer_wire_canonical(ldns_buffer *buffer,
        case LDNS_RR_TYPE_SRV:
        case LDNS_RR_TYPE_DNAME:
        case LDNS_RR_TYPE_A6:
+       case LDNS_RR_TYPE_RRSIG:
                pre_rfc3597 = true;

Please let me know what you think.

Kind regards,
Peter van Dijk

More information about the ldns-users mailing list