Is NSEC case sensitive while being signed?
Matthew Pounsett
matt at conundrum.com
Tue Mar 11 15:05:44 UTC 2008
On 10-Mar-2008, at 19:03 , nospam.d.lca at neverbox.com wrote:
> I am using dnssec-signzone from BIND 9.5.0b2. It seems that if I
> change the case of the next domain name in the RDATA of NSEC record,
> the signature in RRSIG for the NSEC record will change.
>
> Does this mean that next domain name in NSEC is case sensitive, or did
> I make some mistake in my experiment?
Yes, NSEC is case sensitive. The block of text Mark meant to direct
you to is section 2.5 of <http://www.ietf.org/internet-drafts/draft-ietf-dnsext-dnssec-bis-updates-06.txt
>, which is a list of clarifications of previous DNSSEC documents.
Specifically,
When canonicalizing DNS names, DNS names in the RDATA
section of NSEC
and RRSIG resource records are not downcased.
[RFC4034] Section 6.2 item 3 has a list of resource record
types for
which DNS names in the RDATA are downcased for purposes of
DNSSEC
canonical form (for both ordering and signing). That list
erroneously contains NSEC and RRSIG. According to
[RFC3755], DNS
names in the RDATA of NSEC and RRSIG should not be downcased.
More information about the bind-users
mailing list