[ldns-users] canonical signer name in RRSIG during verification

Willem Toorop Willem at NLnetLabs.nl
Tue Feb 28 16:24:34 UTC 2012 

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

OK. Good point. We can't have ldns validate successfully things that
wont be validated by a bind or unbound resolver. Therefor, Peter,
thanks for you patch. Committed :)
- -- Willem


Op 28-02-12 16:59, W.C.A. Wijngaards schreef:
> Hi Miek,
> 
> On 02/28/2012 03:29 PM, Miek Gieben wrote:
>> [ Quoting <Willem at nlnetlabs.nl> at 14:18 on Feb 28 in "Re: 
>> [ldns-users] can..." ]
>>> Hi Peter,
>>> 
>>> First of all; Thanks for diving in so deep!
>>> 
>>> Then; Sorry for the late response, but those are subtle issues.
>>> I interpret draft-ietf-dnsext-dnssec-bis-updates-16
>>> section-5.1 such that the RDATA section of RRSIG (The Signer's
>>> Name field) should be downcased for ordering and signing. Thus
>>> not specifically for verifying.
> 
> Yes it does mean verifying.  This is because this is what deployed 
> software (at first, BIND, then after .US got signed, soon, unbound 
> too) does.
> 
> ldns verify still implemented the standard, but with the fix that
> it creates lowercase signer-names, thus the canonicalisation
> became immaterial.  Now, dnssec-bis-updates has caught up and is
> moving to RFC and indeed ldns verify should implement the proper
> verification. But we wanted to be careful with implementing
> not-yet-RFC, but this now creates trouble with powerDNS.  So, the
> we intend to lowercase signer-names in ldns in canonicalisation
> (and also in verification and signing), as well as keep the
> compatibility lowercase generation of signernames that makes the
> issue immaterial for signatures created by ldns.
> 
>>> If a signer produces (against the very *recent* directive) an 
>>> RRSIG with an mixed case "Signer's Name" a verifier should be 
>>> able to validate that too. Though, I do agree that the
>>> downcased "Signer's name" should be tried to validate also.
>>> 
>>> A contribution that would do just that would be great! :) (but
>>> if you don't I will of course :)
>>> 
>>> Also I believe that signers following the new directive put a 
>>> lowercased "Signer's Name" in the RRSIG RDATA. Is this not the 
>>> case? How did you produce the validation failure? Was it from
>>> a situation in the wild?
> 
>> I think:
> 
>> dig +dnssec nic.us DS
> 
>> sums it up nicely.
> 
>> My Go code validates pretty much everything, except signatures
>> from that domain (.US) :(
> 
> You must downcase the signername (implement dnssec-bis-updates).
> 
>> So we have the old spec, the new spec and stuff in the wild...
> 
> Yes BIND used to implement SIG where the signername was
> compressible and thus has to be downcased.  Then moved to RRSIG but
> that code was left in there.  And thus unbound changed, and ldns
> changed it rrsig-generation.  And now its back for ldns verify (of
> signatures that it did not create itself - I think that most
> signers out there generate backwards compatible RRSIGs) :-)
> 
> Check HINFO and NSEC too.  (see dnssec-bis-updates).
> 
> Best regards, Wouter 
> _______________________________________________ ldns-users mailing
> list ldns-users at open.nlnetlabs.nl 
> http://open.nlnetlabs.nl/mailman/listinfo/ldns-users

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.11 (GNU/Linux)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/

iQIcBAEBAgAGBQJPTP/CAAoJEOX4+CEvd6SYM4IP/iJynBCtKhaRXNmrTvHlefCk
hTo9XdgOF/wDDisKx12+w+bXms4V35FgID4duOkIXEeLEyGT2yJuuDHouDJVPxi3
jaF9lI2ZukKUtINcKqYeVoOc0pXO0Gs3OA7XHFi16Qgjn1DmoEHGIy59vQ8V7wds
pFmtmUm70b+SsbTfYcafWJFhNkb+SHFL7PVQAL2eD3HK7egLdFpgrcp9ZonKKxll
SHHNXtxgum5R3G3tNfy3GWZyqmcTMwBxG9x8VuxT8M70MmKqiHEZuRcUmIDMBVhe
plSeGNfGEqj4S20oYBGb/WdecyIz+ObeHdCDRZRbkh5GEFXwcaU/0P1Zhoz+vV5m
//ipYnRQy+WBcXdgTzGO0HAFK0YwZLKJpAVQXE4/RcB60DyGX/XwPi81mK9bj2cq
tR0iXDQ1cSbdZ6D0B9cVAgWap0ZGsCE54+/AcbRylYnpQg833WatzvztSQu87+oD
s5yt8Qx2ZiOiyE/dO8hxt3j6sUKmnjoWZJh3Ux4J92oDXN/lzFhQAnkqhHpWLucJ
NwEPkn/3n5VZ169WcyH3pMfEP/y3d/EFPk1ZXypd10SjwETG9+o99or47RTNdndW
FqW1yy8DhJ4MWJ5b1/x5ixQcfyDn/dchIR4L0RiMYiSqa1eYXDYYcw5uDPPPc+gU
XFj25Yhr0OCUpCeRpule
=hJz9
-----END PGP SIGNATURE-----

More information about the ldns-users mailing list