[ldns-users] canonical signer name in RRSIG during verification

Miek Gieben miek at miek.nl
Tue Feb 28 14:29:54 UTC 2012

[ Quoting <Willem at nlnetlabs.nl> at 14:18 on Feb 28 in "Re: [ldns-users] can..." ]
> Hi Peter,
> First of all; Thanks for diving in so deep!
> Then; Sorry for the late response, but those are subtle issues.
> I interpret draft-ietf-dnsext-dnssec-bis-updates-16 section-5.1 such
> that the RDATA section of RRSIG (The Signer's Name field) should be
> downcased for ordering and signing. Thus not specifically for verifying.
> If a signer produces (against the very *recent* directive) an RRSIG with
> an mixed case "Signer's Name" a verifier should be able to validate that
> too. Though, I do agree that the downcased "Signer's name" should be
> tried to validate also.
> A contribution that would do just that would be great! :)
> (but if you don't I will of course :)
> Also I believe that signers following the new directive put a lowercased
> "Signer's Name" in the RRSIG RDATA. Is this not the case? How did you
> produce the validation failure? Was it from a situation in the wild?

I think: 

    dig +dnssec nic.us DS

sums it up nicely. 

My Go code validates pretty much everything, except signatures from that domain
(.US) :(

So we have the old spec, the new spec and stuff in the wild...

grtz Miek
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 198 bytes
Desc: Digital signature
URL: <http://lists.nlnetlabs.nl/pipermail/ldns-users/attachments/20120228/ab00fb4d/attachment-0001.bin>

More information about the ldns-users mailing list