Is NSEC case sensitive while being signed?
Mark Andrews
Mark_Andrews at isc.org
Wed Mar 12 11:29:31 UTC 2008
> Thank you for the answer, but I have a follow up question. I don't
> quite understand the reason for making NSEC and RRSIG case
> sensitive. Do you mind elaborating a little bit?
>
> Yue
Because RFC 403x accidently broke existing rules about which
types to downcase for DNSSEC comparison. All types allocated
after a certain point in time are treated as opaque blobs
for DNSSEC. NSEC and RRSIG were allocated after that point
in time. The quoted text just restored the status quo.
Mark
> Yue
> On Mar 11, 8:05 am, Matthew Pounsett <m... at conundrum.com> wrote:
> > On 10-Mar-2008, at 19:03 , nospam.d.... at neverbox.com wrote:
> >
> > > I am using dnssec-signzone from BIND 9.5.0b2. It seems that if I
> > > change the case of the next domain name in the RDATA of NSEC record,
> > > the signature in RRSIG for the NSEC record will change.
> >
> > > Does this mean that next domain name in NSEC is case sensitive, or did
> > > I make some mistake in my experiment?
> >
> > Yes, NSEC is case sensitive. The block of text Mark meant to direct
> > you to is section 2.5 of <http://www.ietf.org/internet-drafts/draft-ietf-dn
> sext-dnssec-bis-upda...
> > >, which is a list of clarifications of previous DNSSEC documents.
> >
> > Specifically,
> >
> > When canonicalizing DNS names, DNS names in the RDATA
> > section of NSEC
> > and RRSIG resource records are not downcased.
> >
> > [RFC4034] Section 6.2 item 3 has a list of resource record
> > types for
> > which DNS names in the RDATA are downcased for purposes of
> > DNSSEC
> > canonical form (for both ordering and signing). That list
> > erroneously contains NSEC and RRSIG. According to
> > [RFC3755], DNS
> > names in the RDATA of NSEC and RRSIG should not be downcased.
>
>
--
Mark Andrews, ISC
1 Seymour St., Dundas Valley, NSW 2117, Australia
PHONE: +61 2 9871 4742 INTERNET: Mark_Andrews at isc.org
More information about the bind-users
mailing list