From jn at stusta.de  Wed Nov 13 19:21:19 2013
From: jn at stusta.de (Johannes Naab)
Date: Wed, 13 Nov 2013 20:21:19 +0100
Subject: [ldns-users] case sensitive (should be case insensitive) dname
 comparison in ldns_pkt_rr_list_by_name and
 ldns_pkt_rr_list_by_name_and_type
Message-ID: <5283D12F.7000606@stusta.de>

Hi,

the ldns_pkt_rr_list_by_name and ldns_pkt_rr_list_by_name_and_type
compare their names with ldns_rdf_compare, and thus are case sensitive
with respect to the owner names.

While DNS should in general preserve the case of the domain names,
domain name comparisons should be done in a case insensitive manner (RFC
1034 Section 3.1, RFC 4343).

Is the current behavior (case sensitive comparison) of
ldns_pkt_rr_list_by_name intended?

My current use case:
There are (unfortunately) some DNS Servers, which do not follow the case
preservation recommendation, but I still want to extract the relevant
information in a somewhat efficient manner.

One of such DNS providers appears to be dnspod.net. Even so the original
query is all upper case, the answer names (both in question and answer
section) are lower case.
If I use the original (upper case) query name, ldns fails to extract the
resource records. (The only way around this is to iterate over the
rr_list, and compare each owner with the original query name. This is
exactly what I tried to avoid in the first place, since I use pyLDNS).

Replacing ldns_rdf_compare with ldns_dname_compare in the two functions
seems to work for me, however I'm not sure how to properly check the rdf
type, and what other implications this change might have.

% drill @f2y1dns1.dnspod.net. DNSPOD.NET. NS
;; ->>HEADER<<- opcode: QUERY, rcode: NOERROR, id: 13558
;; flags: qr aa rd ; QUERY: 1, ANSWER: 2, AUTHORITY: 0, ADDITIONAL: 0
;; QUESTION SECTION:
;; dnspod.net.	IN	NS

;; ANSWER SECTION:
dnspod.net.	172800	IN	NS	f2y1dns1.dnspod.net.
dnspod.net.	172800	IN	NS	f2y1dns2.dnspod.net.

;; AUTHORITY SECTION:

;; ADDITIONAL SECTION:

;; Query time: 386 msec
;; SERVER: 221.204.186.8
;; WHEN: Wed Nov 13 20:10:50 2013
;; MSG SIZE  rcvd: 94

Johannes

-- 


From calle at init.se  Mon Nov 18 14:09:16 2013
From: calle at init.se (Calle Dybedahl)
Date: Mon, 18 Nov 2013 15:09:16 +0100
Subject: [ldns-users] Given a DS and a DNSKEY,
	how do I check if the DS signs the DNSKEY?
Message-ID: <4D37CB21-0F63-415D-A720-48848C9ED3CA@init.se>

Hello.

I?ve been trying to figure this out from the documentation and the source code, but I?m not getting anywhere, so I thought I?d ask here. 

Given two ldns_rr objects, one of type LDNS_RR_TYPE_DS and one of type LDNS_RR_TYPE_DNSKEY, what do I need to do to find out if the DS correctly signs the DNSKEY? Pointers to what documentation to read is just as welcome as plain answers.

-- 
Calle Dybedahl
calle at init.se -*- +46 703 - 970 612






From miek at miek.nl  Mon Nov 18 14:21:19 2013
From: miek at miek.nl (Miek Gieben)
Date: Mon, 18 Nov 2013 14:21:19 +0000
Subject: [ldns-users] Given a DS and a DNSKEY,
 how do I check if the DS signs the DNSKEY?
In-Reply-To: <4D37CB21-0F63-415D-A720-48848C9ED3CA@init.se>
References: <4D37CB21-0F63-415D-A720-48848C9ED3CA@init.se>
Message-ID: <20131118142119.GD23837@miek.nl>

[ Quoting <calle at init.se> in "[ldns-users] Given a DS and a DNSKE..." ]
> Hello.
> 
> I?ve been trying to figure this out from the documentation and the source code, but I?m not getting anywhere, so I thought I?d ask here. 
> 
> Given two ldns_rr objects, one of type LDNS_RR_TYPE_DS and one of type
> LDNS_RR_TYPE_DNSKEY, what do I need to do to find out if the DS correctly signs
> the DNSKEY? Pointers to what documentation to read is just as welcome as plain
> answers.

"signs"? I think you mean: is the DS is derived from the DNSKEY?

So I would just do that: convert to the DNSKEY to a DS and compare that to 
the DS record you're holding.

grtz Miek


From calle at init.se  Mon Nov 18 14:26:50 2013
From: calle at init.se (Calle Dybedahl)
Date: Mon, 18 Nov 2013 15:26:50 +0100
Subject: [ldns-users] Given a DS and a DNSKEY,
	how do I check if the DS signs the DNSKEY?
In-Reply-To: <20131118142119.GD23837@miek.nl>
References: <4D37CB21-0F63-415D-A720-48848C9ED3CA@init.se>
 <20131118142119.GD23837@miek.nl>
Message-ID: <455ED2BB-3366-43AB-A3CA-05533308D3F4@init.se>


On 18 nov 2013, at 15:21, Miek Gieben <miek at miek.nl> wrote:

> "signs"? I think you mean: is the DS is derived from the DNSKEY?
> 
> So I would just do that: convert to the DNSKEY to a DS and compare that to 
> the DS record you're holding.

Right. Of course. I?ve been thinking about that all wrong. Thanks.

-- 
Calle Dybedahl
calle at init.se -*- +46 703 - 970 612






From jn at stusta.de  Mon Nov 18 14:33:43 2013
From: jn at stusta.de (Johannes Naab)
Date: Mon, 18 Nov 2013 15:33:43 +0100
Subject: [ldns-users] Given a DS and a DNSKEY,
 how do I check if the DS signs the DNSKEY?
In-Reply-To: <4D37CB21-0F63-415D-A720-48848C9ED3CA@init.se>
References: <4D37CB21-0F63-415D-A720-48848C9ED3CA@init.se>
Message-ID: <528A2547.5030108@stusta.de>

On 2013-11-18 15:09, Calle Dybedahl wrote:
> Hello.
> 
> I?ve been trying to figure this out from the documentation and the source code, but I?m not getting anywhere, so I thought I?d ask here. 
> 
> Given two ldns_rr objects, one of type LDNS_RR_TYPE_DS and one of type LDNS_RR_TYPE_DNSKEY, what do I need to do to find out if the DS correctly signs the DNSKEY? Pointers to what documentation to read is just as welcome as plain answers.
> 

The functions ldns_rr_compare_ds and ldns_rr_compare_ds_dnskey should do
exactly that.

ldns_rr_compare_ds is documented in the man pages.

-- 


From willem at nlnetlabs.nl  Tue Nov 19 11:31:35 2013
From: willem at nlnetlabs.nl (Willem Toorop)
Date: Tue, 19 Nov 2013 12:31:35 +0100
Subject: [ldns-users] case sensitive (should be case insensitive) dname
 comparison in ldns_pkt_rr_list_by_name and
 ldns_pkt_rr_list_by_name_and_type
In-Reply-To: <5283D12F.7000606@stusta.de>
References: <5283D12F.7000606@stusta.de>
Message-ID: <528B4C17.2080901@nlnetlabs.nl>

Hi Johannes,

I investigated our repository a bit.

The lines doing the comparison with ldns_rdf_compare in
ldns_pkt_rr_list_by_name and ldns_pkt_rr_list_by_name_and_type are still
the same as when those functions were introduced (by Miek) over 8 years
ago.  (Commit 2960f99469c6cca4df5c1c2e72af963eb27f7ede)

ldns_dname_compare did not yet exist during that commit, although it was
introduced (by Jelte) shortly afterwards.  (Commit
04491ac4bb1ab2c0c94d0e8eeb88c80df187ad4c).

So,

op 13-11-13 20:21, Johannes Naab schreef:
> Is the current behavior (case sensitive comparison) of
> ldns_pkt_rr_list_by_name intended?

No, it just evolved like this. I have fixed the issue. The fix will be
in the 1.7.0 release which will follow shortly.

Thanks for noticing!

-- Willem