Skip Menu |
 

This queue is for tickets about the Net-DNS-SEC CPAN distribution.

Report information
The Basics
Id: 75892
Status: resolved
Priority: 0/
Queue: Net-DNS-SEC

People
Owner: Nobody in particular
Requestors: wjhns117 [...] hardakers.net
Cc:
AdminCc:

Bug Information
Severity: Important
Broken in: 0.16
Fixed in: (no value)

Attachments


Subject: New NSEC conversion rules by DNSSECbis
Download (untitled) / with headers
text/plain 833b
So, I'm glad this one is finally being resolved. It's obviously been a problem but it's clear now, based on the current DNSSECbis draft, that there are multiple interpretations as well as a new "strategy for the future". Specifically from draft-ietf-dnsext-dnssec-bis-updates-17.txt: 5.1. Errors in Canonical Form Type Code List When canonicalizing DNS names (for both ordering and signing), DNS names in the RDATA section of NSEC resource records are not downcased. DNS names in the RDATA section of RRSIG resource records are downcased. Which requires the attached patch to NSEC.pm. [FYI, I've been watching problems with DNSSEC-Tools' donuts, which uses RRSIG.pm and NSEC.pm for years and everytime I toggle the behavior some other implementation requires me to toggle it back. I'm glad it's not just me.]
Subject: v0.16-NSEC-nxtdname-issue.patch
--- RR/NSEC.pm.~1~ 2012-03-19 13:51:10.632177561 -0700 +++ RR/NSEC.pm 2012-03-19 13:51:19.029238145 -0700 @@ -106,7 +106,7 @@ sub _normalize_dnames { my $self=shift; $self->_normalize_ownername(); - $self->{'nxtdname'}=lc(Net::DNS::stripdot($self->{'nxtdname'})) if defined $self->{'nxtdname'}; + $self->{'nxtdname'}=Net::DNS::stripdot($self->{'nxtdname'}) if defined $self->{'nxtdname'}; }
Download (untitled) / with headers
text/plain 672b
On Mon 19 Mar 2012 18:23:28, HARDAKER wrote: Show quoted text
> So, I'm glad this one is finally being resolved. It's obviously been > a problem but it's clear now, based on the current DNSSECbis draft,
Indeed! I've commited to trunk. Show quoted text
> that there are multiple interpretations as well as a new "strategy > for the future". > Specifically from draft-ietf-dnsext-dnssec-bis-updates-17.txt: > > 5.1. Errors in Canonical Form Type Code List > > When canonicalizing DNS names (for both ordering and signing), DNS
Personally I feel this should be (for both ordering, signing and verifying) to be absolutely unambigious. All DNSSEC-software should consider the same things valid.
It is patched, thus resolved.


This service is sponsored and maintained by Best Practical Solutions and runs on Perl.org infrastructure.

Please report any issues with rt.cpan.org to rt-cpan-admin@bestpractical.com.