dns_rdata_compare() for NXT performs case sensitive name comparison
Summary
From https://support.isc.org/Ticket/Display.html?id=13416
9.11.3-S3
What is the current bug behavior?
As reported in the Support ticket:
I believe ... needs a patch pasted below (which, with the subject of this report, I believe is sufficient to show what's the problem). At the very least, if the case sensitive comparison is intentional, the call to dns_name_rdatacompare() is redundant and should be removed. Either way the code would need some update.
diff --git a/lib/dns/rdata/generic/nxt_30.c b/lib/dns/rdata/generic/nxt_30.c
index a155af2..9b3852b 100644
--- a/lib/dns/rdata/generic/nxt_30.c
+++ b/lib/dns/rdata/generic/nxt_30.c
@@ -189,6 +189,9 @@ compare_nxt(ARGS_COMPARE) {
if (order != 0)
return (order);
+ isc_region_consume(&r1, name_length(&name1));
+ isc_region_consume(&r2, name_length(&name2));
+
return (isc_region_compare(&r1, &r2));
}Ensuing dialogue:
Case sensitive is correct. The name is not down cased for DNSSEC. It is a opaque blob for UPDATE.
-- Mark Andrews
Submitter:
But RFC4034 specifies NXT as an exception:
- if the type of the RR is NS, MD, MF, CNAME, SOA, MB, MG, MR, PTR, HINFO, MINFO, MX, HINFO, RP, AFSDB, RT, SIG, PX, NXT, NAPTR, KX, SRV, DNAME, A6, RRSIG, or NSEC, all uppercase US-ASCII letters in the DNS names contained within the RDATA are replaced by the corresponding lowercase US-ASCII letters;
Has that been changed since then?
Mark's reply:
That’s what gets me for doing things from memory while still in bed. Yes, we should consume those bytes not that anyone used NXT anymore.
Note that list is wrong, RRSIG and NSEC are not canonicalised as they were assigned after the original list of types was released.
Also HINFO does not contain a domain name see Errata.
-- Mark Andrews, ISC
Submitter:
Okay, thanks for the confirmation. I agree (or already agreed in this report) this is a minor glitch. I just tried to make it sure.
Note that list is wrong, RRSIG and NSEC are not canonicalised as they were assigned after the original list of types was released.
I agree that having these in the list looks awkward, although I don't know if it's really "wrong" (if it is we should probably also report it to the RFC errata to prevent any possible interoperability problems). But in any case these are not my concern in this report. And the BIND 9's implementation for these is at least consistent with that interpretation: compare_nsec() does not incorrectly call dns_name_rdatacompare(); compare_nsec() and digest_nsec() are consistent about handling the next name.
Also HINFO does not contain a domain name see Errata.
Right.
FYI: I've just realized RFC6840 updated RFC4034 and excluded NSEC from the list of RRs that require down-casing names in RDATA. Note also that RFC6840 still states down-casing is performed for RRSIG, which is different from the BIND 9's implementation.