From 373b84861710db8d60a2e715077adfab80382965 Mon Sep 17 00:00:00 2001 From: Miek Gieben Date: Tue, 6 Oct 2015 07:59:47 +0100 Subject: [PATCH] HINFO does not need downcasing for DNSSEC See the comment from Andrew: https://github.com/miekg/dns/pull/270#issuecomment-145696618 --- README.md | 1 + dnssec.go | 28 +++++++++++++++------------- 2 files changed, 16 insertions(+), 13 deletions(-) diff --git a/README.md b/README.md index 744e20d..11ee00e 100644 --- a/README.md +++ b/README.md @@ -124,6 +124,7 @@ Example programs can be found in the `github.com/miekg/exdns` repository. * 6605 - ECDSA * 6725 - IANA Registry Update * 6742 - ILNP DNS +* 6840 - Clarifications and Implementation Notes for DNS Security * 6844 - CAA record * 6891 - EDNS0 update * 6895 - DNS IANA considerations diff --git a/dnssec.go b/dnssec.go index 74747cf..84cb214 100644 --- a/dnssec.go +++ b/dnssec.go @@ -104,7 +104,7 @@ const ( ) // The RRSIG needs to be converted to wireformat with some of -// the rdata (the signature) missing. Use this struct to easy +// the rdata (the signature) missing. Use this struct to ease // the conversion (and re-use the pack/unpack functions). type rrsigWireFmt struct { TypeCovered uint16 @@ -248,13 +248,12 @@ func (d *DS) ToCDS() *CDS { return c } -// Sign signs an RRSet. The signature needs to be filled in with -// the values: Inception, Expiration, KeyTag, SignerName and Algorithm. -// The rest is copied from the RRset. Sign returns true when the signing went OK, -// otherwise false. -// There is no check if RRSet is a proper (RFC 2181) RRSet. -// If OrigTTL is non zero, it is used as-is, otherwise the TTL of the RRset -// is used as the OrigTTL. +// Sign signs an RRSet. The signature needs to be filled in with the values: +// Inception, Expiration, KeyTag, SignerName and Algorithm. The rest is copied +// from the RRset. Sign returns a non-nill error when the signing went OK. +// There is no check if RRSet is a proper (RFC 2181) RRSet. If OrigTTL is non +// zero, it is used as-is, otherwise the TTL of the RRset is used as the +// OrigTTL. func (rr *RRSIG) Sign(k crypto.Signer, rrset []RR) error { if k == nil { return ErrPrivKey @@ -421,8 +420,8 @@ func (rr *RRSIG) Verify(k *DNSKEY, rrset []RR) error { sigbuf := rr.sigBuf() // Get the binary signature data if rr.Algorithm == PRIVATEDNS { // PRIVATEOID - // TODO(mg) - // remove the domain name and assume its our + // TODO(miek) + // remove the domain name and assume its ours? } hash, ok := AlgorithmToHash[rr.Algorithm] @@ -609,6 +608,12 @@ func rawSignatureData(rrset []RR, s *RRSIG) (buf []byte, err error) { // NS, MD, MF, CNAME, SOA, MB, MG, MR, PTR, // HINFO, MINFO, MX, RP, AFSDB, RT, SIG, PX, NXT, NAPTR, KX, // SRV, DNAME, A6 + // + // RFC 6840 - Clarifications and Implementation Notes for DNS Security (DNSSEC): + // Section 6.2 of [RFC4034] also erroneously lists HINFO as a record + // that needs conversion to lowercase, and twice at that. Since HINFO + // records contain no domain names, they are not subject to case + // conversion. switch x := r1.(type) { case *NS: x.Ns = strings.ToLower(x.Ns) @@ -638,9 +643,6 @@ func rawSignatureData(rrset []RR, s *RRSIG) (buf []byte, err error) { x.Target = strings.ToLower(x.Target) case *DNAME: x.Target = strings.ToLower(x.Target) - case *HINFO: - x.Os = strings.ToLower(x.Os) - x.Cpu = strings.ToLower(x.Cpu) } // 6.2. Canonical RR Form. (5) - origTTL wire := make([]byte, r1.len()+1) // +1 to be safe(r)