[ldns-users] canonical signer name in RRSIG during verification

Willem Toorop Willem at NLnetLabs.nl
Tue Feb 28 13:18:22 UTC 2012

Hi Peter,

First of all; Thanks for diving in so deep!

Then; Sorry for the late response, but those are subtle issues.
I interpret draft-ietf-dnsext-dnssec-bis-updates-16 section-5.1 such
that the RDATA section of RRSIG (The Signer's Name field) should be
downcased for ordering and signing. Thus not specifically for verifying.

If a signer produces (against the very *recent* directive) an RRSIG with
an mixed case "Signer's Name" a verifier should be able to validate that
too. Though, I do agree that the downcased "Signer's name" should be
tried to validate also.

A contribution that would do just that would be great! :)
(but if you don't I will of course :)

Also I believe that signers following the new directive put a lowercased
"Signer's Name" in the RRSIG RDATA. Is this not the case? How did you
produce the validation failure? Was it from a situation in the wild?

-- Willem

More information about the ldns-users mailing list