Skip Menu |
 

This queue is for tickets about the Net-DNS-SEC CPAN distribution.

Report information
The Basics
Id: 62385
Status: resolved
Priority: 0/
Queue: Net-DNS-SEC

People
Owner: Nobody in particular
Requestors: 1fea [...] packet-pushers.com
Cc:
AdminCc:

Bug Information
Severity: Important
Broken in: 0.16
Fixed in: (no value)



Subject: NSEC nxdname must not be compressed
RFC 3845 section 2.1.1 sayeth: A sender MUST NOT use DNS name compression on the Next Domain Name field when transmitting an NSEC RR. (BIND accepts the compression, Unbound does not) A patch: Index: RR/NSEC.pm =================================================================== --- RR/NSEC.pm (revision 861) +++ RR/NSEC.pm (working copy) @@ -91,8 +91,14 @@ my $rdata = "" ; if (exists $self->{"nxtdname"}) { - # Compression used here... - $rdata = $packet->dn_comp(($self->{"nxtdname"}),$offset); + # RFC 3854 2.1.1 + # A sender MUST NOT use DNS name compression on the Next Domain Name + # field when transmitting an NSEC RR. + my @labels = Net::DNS::name2labels($self->{"nxtdname"}); + foreach my $l (@labels) { + $rdata .= pack('CA*', length($l), $l); + } + $rdata .= pack('C', 0); $rdata .= $self->typebm(); } (seems like there must be a utility function that does the necessary packing without compression, but I couldn't find it)
Download (untitled) / with headers
text/plain 860b
On Fri 22 Oct 2010 18:09:14, wessels wrote: Show quoted text
> RFC 3845 section 2.1.1 sayeth: > > A sender MUST NOT use DNS name compression on the Next Domain Name > field when transmitting an NSEC RR.
Absolutely. I've applied your patch. It is in revision 1000 (congratulations :). Show quoted text
> (seems like there must be a utility function that does the necessary > packing without compression, but I couldn't find it)
Indeed there does not seem to be one. Now I could write one in Net::DNS, but then we have to release Net::DNS before we can do a new Net::DNS::SEC release, so I'm just going to use your patch for now. Also the other RR's that need uncompressed dname's, (like the signers name in RRSIG's), use similar methods as you propose. Yours is probably actually better because through name2labels it takes escaped characters etc. into account. Thanks, -- Willem


This service is sponsored and maintained by Best Practical Solutions and runs on Perl.org infrastructure.

Please report any issues with rt.cpan.org to rt-cpan-admin@bestpractical.com.