Maintained by: NLnet Labs

validation of DSA signatures

Jan Včelák
Wed Jan 13 13:37:46 CET 2016

Hello list.

This is mostly a question for developers: I've noticed that test suite for 
Unbound contains scenarios with DSA signatures in a different format than 
specified by RFC 2536 (

The DNSSEC DSA signature should be alywas 41 bytes long. But if I take a look 
for instance at testdata/val_nsec3_nods.rpl line 97, I can see the following 
record:    3600    IN      RRSIG   DNSKEY 3 2 3600 20070926134802 
20070829134802 2854 
MCwCFG1yhRNtTEa3Eno2zhVVuy2EJX3wAhQeLyUp6+UXcpC5qGNu9tkrTEgPUg== ;{id = 2854}

This signature is 46 bytes long. And it is sucessfully validated by Unbound. 
Obviously, it's the DSA signature encoded as the X.509 Dss-Sig-Value 

Is there a reason why does Unbound you accept these signatures?

Best Regards,