[ldns-users] canonical signer name in RRSIG during verification

Willem Toorop Willem at NLnetLabs.nl
Tue Feb 28 16:24:34 UTC 2012

Hash: SHA1

OK. Good point. We can't have ldns validate successfully things that
wont be validated by a bind or unbound resolver. Therefor, Peter,
thanks for you patch. Committed :)
- -- Willem

Op 28-02-12 16:59, W.C.A. Wijngaards schreef:
> Hi Miek,
> On 02/28/2012 03:29 PM, Miek Gieben wrote:
>> [ Quoting <Willem at nlnetlabs.nl> at 14:18 on Feb 28 in "Re: 
>> [ldns-users] can..." ]
>>> Hi Peter,
>>> First of all; Thanks for diving in so deep!
>>> Then; Sorry for the late response, but those are subtle issues.
>>> I interpret draft-ietf-dnsext-dnssec-bis-updates-16
>>> section-5.1 such that the RDATA section of RRSIG (The Signer's
>>> Name field) should be downcased for ordering and signing. Thus
>>> not specifically for verifying.
> Yes it does mean verifying.  This is because this is what deployed 
> software (at first, BIND, then after .US got signed, soon, unbound 
> too) does.
> ldns verify still implemented the standard, but with the fix that
> it creates lowercase signer-names, thus the canonicalisation
> became immaterial.  Now, dnssec-bis-updates has caught up and is
> moving to RFC and indeed ldns verify should implement the proper
> verification. But we wanted to be careful with implementing
> not-yet-RFC, but this now creates trouble with powerDNS.  So, the
> we intend to lowercase signer-names in ldns in canonicalisation
> (and also in verification and signing), as well as keep the
> compatibility lowercase generation of signernames that makes the
> issue immaterial for signatures created by ldns.
>>> If a signer produces (against the very *recent* directive) an 
>>> RRSIG with an mixed case "Signer's Name" a verifier should be 
>>> able to validate that too. Though, I do agree that the
>>> downcased "Signer's name" should be tried to validate also.
>>> A contribution that would do just that would be great! :) (but
>>> if you don't I will of course :)
>>> Also I believe that signers following the new directive put a 
>>> lowercased "Signer's Name" in the RRSIG RDATA. Is this not the 
>>> case? How did you produce the validation failure? Was it from
>>> a situation in the wild?
>> I think:
>> dig +dnssec nic.us DS
>> sums it up nicely.
>> My Go code validates pretty much everything, except signatures
>> from that domain (.US) :(
> You must downcase the signername (implement dnssec-bis-updates).
>> So we have the old spec, the new spec and stuff in the wild...
> Yes BIND used to implement SIG where the signername was
> compressible and thus has to be downcased.  Then moved to RRSIG but
> that code was left in there.  And thus unbound changed, and ldns
> changed it rrsig-generation.  And now its back for ldns verify (of
> signatures that it did not create itself - I think that most
> signers out there generate backwards compatible RRSIGs) :-)
> Check HINFO and NSEC too.  (see dnssec-bis-updates).
> Best regards, Wouter 
> _______________________________________________ ldns-users mailing
> list ldns-users at open.nlnetlabs.nl 
> http://open.nlnetlabs.nl/mailman/listinfo/ldns-users

Version: GnuPG v1.4.11 (GNU/Linux)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/


More information about the ldns-users mailing list