[ldns-users] canonical signer name in RRSIG during verification
Miek Gieben
miek at miek.nl
Tue Feb 28 14:29:54 UTC 2012
[ Quoting <Willem at nlnetlabs.nl> at 14:18 on Feb 28 in "Re: [ldns-users] can..." ]
> Hi Peter,
>
> First of all; Thanks for diving in so deep!
>
> Then; Sorry for the late response, but those are subtle issues.
> I interpret draft-ietf-dnsext-dnssec-bis-updates-16 section-5.1 such
> that the RDATA section of RRSIG (The Signer's Name field) should be
> downcased for ordering and signing. Thus not specifically for verifying.
>
> If a signer produces (against the very *recent* directive) an RRSIG with
> an mixed case "Signer's Name" a verifier should be able to validate that
> too. Though, I do agree that the downcased "Signer's name" should be
> tried to validate also.
>
> A contribution that would do just that would be great! :)
> (but if you don't I will of course :)
>
> Also I believe that signers following the new directive put a lowercased
> "Signer's Name" in the RRSIG RDATA. Is this not the case? How did you
> produce the validation failure? Was it from a situation in the wild?
I think:
dig +dnssec nic.us DS
sums it up nicely.
My Go code validates pretty much everything, except signatures from that domain
(.US) :(
So we have the old spec, the new spec and stuff in the wild...
grtz Miek
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 198 bytes
Desc: Digital signature
URL: <http://lists.nlnetlabs.nl/pipermail/ldns-users/attachments/20120228/ab00fb4d/attachment-0001.bin>
More information about the ldns-users
mailing list