[net-dns-users] RRSIG->verify() bug Net::DNS::SEC 0.18 and later

Dick Franks rwfranks at acm.org
Tue Sep 30 23:57:46 UTC 2014 

$self->{signame}->canonical is not the solution (not in Net::DNS pre-0.73).

Please can you raise a bug report in CPAN RT, citing RFC4034 (6.2)

Dick
________________________


On 30 September 2014 23:25, Wessels, Duane <dwessels at verisign.com> wrote:

> Maybe this is it?
>
> Index: RR/RRSIG.pm
> ===================================================================
> --- RR/RRSIG.pm (revision 1267)
> +++ RR/RRSIG.pm (working copy)
> @@ -516,7 +516,7 @@
>         $self->{typecovered} = 0 unless ref($rawdata);          # SIG0
>
>         my @field = qw(typecovered algorithm labels orgttl sigexpiration
> siginception keytag);
> -       my $sigdata = pack 'n C2 N3 n a*', @{$self}{@field},
> $self->{signame}->encode;
> +       my $sigdata = pack 'n C2 N3 n a*', @{$self}{@field},
> $self->{signame}->canonical;
>         print "preamble:\t", unpack( 'H*', $sigdata ) if $debug;
>
>         unless ( ref($rawdata) ) {                              # SIG0 case
>
>
>
> On Sep 30, 2014, at 3:14 PM, Duane Wessels <dwessels at verisign.com> wrote:
>
> > Whoops, that patch is not the solution for this bug.  However, I'm
> > pretty sure it has something to do with upper/lower case!
> >
> > DW
> >
> >
> > On Sep 30, 2014, at 3:06 PM, Duane Wessels <dwessels at verisign.com>
> wrote:
> >
> >> Today I found one of my DNSSEC tools utilizing Net::DNS::SEC was
> reporting
> >> mysterious validation failures.  Tracked it to an RRSIG record with an
> >> uppercase Signer's Name field (see 'dig us RRSIG').
> >>
> >> I believe this may be the fix:
> >>
> >>
> >> Index: RR/RRSIG.pm
> >> ===================================================================
> >> --- RR/RRSIG.pm (revision 1267)
> >> +++ RR/RRSIG.pm (working copy)
> >> @@ -262,7 +262,7 @@
> >>               sigexpiration => $args{sigex} || 0,
> >>               algorithm     => $private->algorithm,
> >>               keytag        => $private->keytag,
> >> -               signame       => $private->signame,
> >> +               signame       => lc($private->signame),
> >>               );
> >>
> >>       $args{sigval} ||= 30 unless $self->{sigexpiration};
> >>
> >
>
>
> _______________________________________________
> net-dns-users mailing list
> net-dns-users at nlnetlabs.nl
> https://www.nlnetlabs.nl/mailman/listinfo/net-dns-users
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.nlnetlabs.nl/pipermail/net-dns-users/attachments/20141001/799c75c2/attachment.htm>

More information about the net-dns-users mailing list