validation of DSA signatures
Jan Včelák
jan.vcelak at nic.cz
Wed Jan 13 12:37:46 UTC 2016
Hello list.
This is mostly a question for developers: I've noticed that test suite for
Unbound contains scenarios with DSA signatures in a different format than
specified by RFC 2536 (http://tools.ietf.org/html/rfc2536#section-3).
The DNSSEC DSA signature should be alywas 41 bytes long. But if I take a look
for instance at testdata/val_nsec3_nods.rpl line 97, I can see the following
record:
example.com. 3600 IN RRSIG DNSKEY 3 2 3600 20070926134802
20070829134802 2854 example.com.
MCwCFG1yhRNtTEa3Eno2zhVVuy2EJX3wAhQeLyUp6+UXcpC5qGNu9tkrTEgPUg== ;{id = 2854}
This signature is 46 bytes long. And it is sucessfully validated by Unbound.
Obviously, it's the DSA signature encoded as the X.509 Dss-Sig-Value
(https://tools.ietf.org/html/rfc2459#section-7.2.2).
Is there a reason why does Unbound you accept these signatures?
Best Regards,
Jan
More information about the Unbound-users
mailing list