-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Hi Jan,
On 01/13/2016 01:37 PM, Jan V?elák via Unbound-users wrote: > Hello list. > > This is mostly a question for developers: I've noticed that test > suite for Unbound contains scenarios with DSA signatures in a > different format than specified by RFC 2536 > (http://tools.ietf.org/html/rfc2536#section-3). > > The DNSSEC DSA signature should be alywas 41 bytes long. But if I > take a look for instance at testdata/val_nsec3_nods.rpl line 97, I > can see the following record: > > example.com. 3600 IN RRSIG DNSKEY 3 2 3600 > 20070926134802 20070829134802 2854 example.com. > MCwCFG1yhRNtTEa3Eno2zhVVuy2EJX3wAhQeLyUp6+UXcpC5qGNu9tkrTEgPUg== > ;{id = 2854} > > This signature is 46 bytes long. And it is sucessfully validated by > Unbound. Obviously, it's the DSA signature encoded as the X.509 > Dss-Sig-Value (https://tools.ietf.org/html/rfc2459#section-7.2.2). > > Is there a reason why does Unbound you accept these signatures? These signatures are produced by (an old?) signer. Unbound is compatible with its quirks. DSA is almost not deployed at all for DNSSEC, and the signer may already have been fixed for a long time. Unbound is compatible to remove false-positives from validation failures as much as possible. Best regards, Wouter > > Best Regards, > > Jan > -----BEGIN PGP SIGNATURE----- Version: GnuPG v1 iQIcBAEBAgAGBQJWllZQAAoJEJ9vHC1+BF+NKh0P/1lDoGwXnD9mA5njXTrt8iBq VuU7hr695iOC/732+L9XvI/AnO6fDy/lFz3R9XDYXikrCYgr3wbkIWfDLy20pRT7 gN/IewJST45MkcJjcYSwPfemD4rLV5nE9ZNDDkdwJ+K+BYKoSFAWyuaJjsvLgZyB l2D2D6MGUaeH4cjBtyr5p1TVVEB1PDmy4xvq7UBG2qpPyyuGfhWOBIxJVc6egb4R p/Xay5S+4DCethVuQPRdrgNC9rYSk5z1o/jQQcQPhX2Lag0XvmPvzflcNP4waR9K 75CD4HbPstWrCqh5hpcTo3zPXB/URzzThw0phHC8ysadUCGHH92g83/QfMm0xTdI EiHE5KHJiWo/D5/zAxlOZWUNdm0KZMUTPrb2uJlKAXtvLWG5LAc++azWcLbnLqYQ Q12Fy1TbaZB+uuE/RAISZV/UgjebE6psTeYcR87xzRPN8SyNuqP+GZiPu7DUQeBH 0S4Vl0mH6/e548gyDN4bCkUKyJHBiThfn+VS/X49bR7QSe0/gp3I0rtj1bagBA8N GCU7+T77FKjZbVbsiHR9cfNNx9SmorgZE7ZF5Gqp1HQ6M6+shTfj/rwjL3eMla9x 05mVXE40RyMHfI4ystpYQj2bLxJOBc0rYqVTk+/hdQS0DmzHJL/wKfgXqdk6aPjZ bHXnuM3z7l0xtXpgWdwA =OAJj -----END PGP SIGNATURE-----
