| Subject: | New NSEC conversion rules by DNSSECbis |
So, I'm glad this one is finally being resolved. It's obviously been a
problem but it's clear now, based on the current DNSSECbis draft, that
there are multiple interpretations as well as a new "strategy for the
future". Specifically from draft-ietf-dnsext-dnssec-bis-updates-17.txt:
5.1. Errors in Canonical Form Type Code List
When canonicalizing DNS names (for both ordering and signing), DNS
names in the RDATA section of NSEC resource records are not
downcased. DNS names in the RDATA section of RRSIG resource records
are downcased.
Which requires the attached patch to NSEC.pm.
[FYI, I've been watching problems with DNSSEC-Tools' donuts, which uses
RRSIG.pm and NSEC.pm for years and everytime I toggle the behavior some
other implementation requires me to toggle it back. I'm glad it's not
just me.]
| Subject: | v0.16-NSEC-nxtdname-issue.patch |
--- RR/NSEC.pm.~1~ 2012-03-19 13:51:10.632177561 -0700
+++ RR/NSEC.pm 2012-03-19 13:51:19.029238145 -0700
@@ -106,7 +106,7 @@
sub _normalize_dnames {
my $self=shift;
$self->_normalize_ownername();
- $self->{'nxtdname'}=lc(Net::DNS::stripdot($self->{'nxtdname'})) if defined $self->{'nxtdname'};
+ $self->{'nxtdname'}=Net::DNS::stripdot($self->{'nxtdname'}) if defined $self->{'nxtdname'};
}