Skip Menu |

This queue is for tickets about the Net-DNS-SEC CPAN distribution.

Report information
The Basics
Id: 62385
Status: resolved
Priority: 0/
Queue: Net-DNS-SEC
People
Owner: Nobody in particular
Requestors: 1fea [...] packet-pushers.com
Cc:
AdminCc:
Bug Information
Severity: Important
Broken in: 0.16
Fixed in: (no value)

History Show all quoted text
  Fri Oct 22 18:09:14 2010 1fea [...] packet-pushers.com - Ticket created
Subject: NSEC nxdname must not be compressed
RFC 3845 section 2.1.1 sayeth: A sender MUST NOT use DNS name compression on the Next Domain Name field when transmitting an NSEC RR. (BIND accepts the compression, Unbound does not) A patch: Index: RR/NSEC.pm =================================================================== --- RR/NSEC.pm (revision 861) +++ RR/NSEC.pm (working copy) @@ -91,8 +91,14 @@ my $rdata = "" ; if (exists $self->{"nxtdname"}) { - # Compression used here... - $rdata = $packet->dn_comp(($self->{"nxtdname"}),$offset); + # RFC 3854 2.1.1 + # A sender MUST NOT use DNS name compression on the Next Domain Name + # field when transmitting an NSEC RR. + my @labels = Net::DNS::name2labels($self->{"nxtdname"}); + foreach my $l (@labels) { + $rdata .= pack('CA*', length($l), $l); + } + $rdata .= pack('C', 0); $rdata .= $self->typebm(); } (seems like there must be a utility function that does the necessary packing without compression, but I couldn't find it)
  Thu Jun 28 07:46:21 2012 NLNETLABS [...] cpan.org - Correspondence added
On Fri 22 Oct 2010 18:09:14, wessels wrote: Show quoted text
> RFC 3845 section 2.1.1 sayeth: > > A sender MUST NOT use DNS name compression on the Next Domain Name > field when transmitting an NSEC RR.
Absolutely. I've applied your patch. It is in revision 1000 (congratulations :). Show quoted text
> (seems like there must be a utility function that does the necessary > packing without compression, but I couldn't find it)
Indeed there does not seem to be one. Now I could write one in Net::DNS, but then we have to release Net::DNS before we can do a new Net::DNS::SEC release, so I'm just going to use your patch for now. Also the other RR's that need uncompressed dname's, (like the signers name in RRSIG's), use similar methods as you propose. Yours is probably actually better because through name2labels it takes escaped characters etc. into account. Thanks, -- Willem
  Thu Jun 28 07:46:23 2012 The RT System itself - Status changed from 'new' to 'open'
  Thu Jun 28 07:46:23 2012 NLNETLABS [...] cpan.org - Status changed from 'open' to 'resolved'