[ldns-users] canonical signer name in RRSIG during verification
miek at miek.nl
Tue Feb 28 14:29:54 UTC 2012
[ Quoting <Willem at nlnetlabs.nl> at 14:18 on Feb 28 in "Re: [ldns-users] can..." ]
> Hi Peter,
> First of all; Thanks for diving in so deep!
> Then; Sorry for the late response, but those are subtle issues.
> I interpret draft-ietf-dnsext-dnssec-bis-updates-16 section-5.1 such
> that the RDATA section of RRSIG (The Signer's Name field) should be
> downcased for ordering and signing. Thus not specifically for verifying.
> If a signer produces (against the very *recent* directive) an RRSIG with
> an mixed case "Signer's Name" a verifier should be able to validate that
> too. Though, I do agree that the downcased "Signer's name" should be
> tried to validate also.
> A contribution that would do just that would be great! :)
> (but if you don't I will of course :)
> Also I believe that signers following the new directive put a lowercased
> "Signer's Name" in the RRSIG RDATA. Is this not the case? How did you
> produce the validation failure? Was it from a situation in the wild?
dig +dnssec nic.us DS
sums it up nicely.
My Go code validates pretty much everything, except signatures from that domain
So we have the old spec, the new spec and stuff in the wild...
-------------- next part --------------
A non-text attachment was scrubbed...
Size: 198 bytes
Desc: Digital signature
More information about the ldns-users