[Unbound-users] [Q] HINFO in signed zone results SERVFAIL, but NOERROR with BIND
W.C.A. Wijngaards
wouter at NLnetLabs.nl
Tue Jan 6 14:20:23 UTC 2009
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Hoi Rick,
No. Either it is case insensitive and folded by the signer already, or
the case is important. Starting to tryout which change verifies leads in
a very dangerous path. And who knows if SPF strings are not case
sensitive and when they will be used in the HINFO type :-)
The unbound behaviour for HINFO is to follow the dnssec-updates draft.
Best regards,
Wouter
Rick van Rein wrote:
>> Unbound lowercases all text in the rdata of HINFO records before
>> verification. Because that is what I believe RFC4034 6.2(3) means.
>
> Isn't this one of those places where you can be liberal in what you accept?
> That is, trying multiple cases (wire format and lowercase, to be precise)
> while validating the signature?
>
> I mean, there's hardly a security concern in the upper/lowercase distinction.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.9 (GNU/Linux)
Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org
iEYEARECAAYFAkljaKYACgkQkDLqNwOhpPjBBACcCO74MrPh0+cqQFT6yJ8raiaQ
o1sAoIRzgt59qApbSAgciXn43zSyWAcH
=AtR6
-----END PGP SIGNATURE-----
More information about the Unbound-users
mailing list