Is NSEC case sensitive while being signed?
nospam.d.lca at neverbox.com
nospam.d.lca at neverbox.com
Tue Mar 11 20:11:53 UTC 2008
Thank you for the answer, but I have a follow up question. I don't
quite understand the reason for making NSEC and RRSIG case
sensitive. Do you mind elaborating a little bit?
Yue
Yue
On Mar 11, 8:05 am, Matthew Pounsett <m... at conundrum.com> wrote:
> On 10-Mar-2008, at 19:03 , nospam.d.... at neverbox.com wrote:
>
> > I am using dnssec-signzone from BIND 9.5.0b2. It seems that if I
> > change the case of the next domain name in the RDATA of NSEC record,
> > the signature in RRSIG for the NSEC record will change.
>
> > Does this mean that next domain name in NSEC is case sensitive, or did
> > I make some mistake in my experiment?
>
> Yes, NSEC is case sensitive. The block of text Mark meant to direct
> you to is section 2.5 of <http://www.ietf.org/internet-drafts/draft-ietf-dnsext-dnssec-bis-upda...
> >, which is a list of clarifications of previous DNSSEC documents.
>
> Specifically,
>
> When canonicalizing DNS names, DNS names in the RDATA
> section of NSEC
> and RRSIG resource records are not downcased.
>
> [RFC4034] Section 6.2 item 3 has a list of resource record
> types for
> which DNS names in the RDATA are downcased for purposes of
> DNSSEC
> canonical form (for both ordering and signing). That list
> erroneously contains NSEC and RRSIG. According to
> [RFC3755], DNS
> names in the RDATA of NSEC and RRSIG should not be downcased.
More information about the bind-users
mailing list