Maintained by: NLnet Labs

validation of DSA signatures

W.C.A. Wijngaards
Wed Jan 13 14:51:12 CET 2016


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Hi Jan,

On 01/13/2016 01:37 PM, Jan V?elák via Unbound-users wrote:
> Hello list.
> 
> This is mostly a question for developers: I've noticed that test
> suite for Unbound contains scenarios with DSA signatures in a
> different format than specified by RFC 2536
> (http://tools.ietf.org/html/rfc2536#section-3).
> 
> The DNSSEC DSA signature should be alywas 41 bytes long. But if I
> take a look for instance at testdata/val_nsec3_nods.rpl line 97, I
> can see the following record:
> 
> example.com.    3600    IN      RRSIG   DNSKEY 3 2 3600
> 20070926134802 20070829134802 2854 example.com. 
> MCwCFG1yhRNtTEa3Eno2zhVVuy2EJX3wAhQeLyUp6+UXcpC5qGNu9tkrTEgPUg==
> ;{id = 2854}
> 
> This signature is 46 bytes long. And it is sucessfully validated by
> Unbound. Obviously, it's the DSA signature encoded as the X.509
> Dss-Sig-Value (https://tools.ietf.org/html/rfc2459#section-7.2.2).
> 
> Is there a reason why does Unbound you accept these signatures?

These signatures are produced by (an old?) signer.  Unbound is
compatible with its quirks.  DSA is almost not deployed at all for
DNSSEC, and the signer may already have been fixed for a long time.
Unbound is compatible to remove false-positives from validation
failures as much as possible.

Best regards, Wouter

> 
> Best Regards,
> 
> Jan
> 

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1

iQIcBAEBAgAGBQJWllZQAAoJEJ9vHC1+BF+NKh0P/1lDoGwXnD9mA5njXTrt8iBq
VuU7hr695iOC/732+L9XvI/AnO6fDy/lFz3R9XDYXikrCYgr3wbkIWfDLy20pRT7
gN/IewJST45MkcJjcYSwPfemD4rLV5nE9ZNDDkdwJ+K+BYKoSFAWyuaJjsvLgZyB
l2D2D6MGUaeH4cjBtyr5p1TVVEB1PDmy4xvq7UBG2qpPyyuGfhWOBIxJVc6egb4R
p/Xay5S+4DCethVuQPRdrgNC9rYSk5z1o/jQQcQPhX2Lag0XvmPvzflcNP4waR9K
75CD4HbPstWrCqh5hpcTo3zPXB/URzzThw0phHC8ysadUCGHH92g83/QfMm0xTdI
EiHE5KHJiWo/D5/zAxlOZWUNdm0KZMUTPrb2uJlKAXtvLWG5LAc++azWcLbnLqYQ
Q12Fy1TbaZB+uuE/RAISZV/UgjebE6psTeYcR87xzRPN8SyNuqP+GZiPu7DUQeBH
0S4Vl0mH6/e548gyDN4bCkUKyJHBiThfn+VS/X49bR7QSe0/gp3I0rtj1bagBA8N
GCU7+T77FKjZbVbsiHR9cfNNx9SmorgZE7ZF5Gqp1HQ6M6+shTfj/rwjL3eMla9x
05mVXE40RyMHfI4ystpYQj2bLxJOBc0rYqVTk+/hdQS0DmzHJL/wKfgXqdk6aPjZ
bHXnuM3z7l0xtXpgWdwA
=OAJj
-----END PGP SIGNATURE-----