Maintained by: NLnet Labs

[Unbound-users] [Q] HINFO in signed zone results SERVFAIL, but NOERROR with BIND

W.C.A. Wijngaards
Tue Jan 6 15:20:23 CET 2009


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Hoi Rick,

No. Either it is case insensitive and folded by the signer already, or
the case is important. Starting to tryout which change verifies leads in
a very dangerous path.  And who knows if SPF strings are not case
sensitive and when they will be used in the HINFO type :-)

The unbound behaviour for HINFO is to follow the dnssec-updates draft.

Best regards,
   Wouter

Rick van Rein wrote:
>> Unbound lowercases all text in the rdata of HINFO records before
>> verification.  Because that is what I believe RFC4034 6.2(3) means.
> 
> Isn't this one of those places where you can be liberal in what you accept?
> That is, trying multiple cases (wire format and lowercase, to be precise)
> while validating the signature?
> 
> I mean, there's hardly a security concern in the upper/lowercase distinction.

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.9 (GNU/Linux)
Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org

iEYEARECAAYFAkljaKYACgkQkDLqNwOhpPjBBACcCO74MrPh0+cqQFT6yJ8raiaQ
o1sAoIRzgt59qApbSAgciXn43zSyWAcH
=AtR6
-----END PGP SIGNATURE-----