Though this is in fact implicit in RFC4035 Section 6.2, it is perhaps
worth reminding any implementors reading this post (and though absurdly
late, perhaps even adding yet another minor tweak to the document) that
the target name of a SVCB or HTTPS record, though a domain name, MUST
NOT be canonicalised to lower case when signing or validating.
These names are of course (for largely the same reasons) also not
candidates for name compression.
I've seen some evidence that this point is not always obvious to
implementors rushing support for these out the door, and actual
mixed-case targets in signed zones to test against are exceedingly
scarce. So it is easy to ship a non-interoperable implementation that
will only exhibit problems much later when sufficiently many zone owners
do decide to use mixed case target names for some cosmetic reason.
I am not expecting miracles in terms of document changes, so no flames
please, just do the right thing whatever that might be. On the other,
if you are implementing or have recently implement support for signing
or validating SVCB/HTTPS records, please make sure that the input to the
hash for signing/validation is not case-folded.
--
Viktor.
_______________________________________________
DNSOP mailing list
DNSOP@ietf.org
https://www.ietf.org/mailman/listinfo/dnsop
