From: bert hubert <bert.hubert@netherlabs.nl>
Date: Wed, 22 Jun 2016 10:57:10 +0000 (+0200)
Subject: when generating message for signature (validation), no longer lowercase NSEC rdata... 
X-Git-Tag: auth-4.0.0-rc1~20^2~2
X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=feb53a7778f2dd3c8213fe822ff3b0756792e40e;p=thirdparty%2Fpdns.git

when generating message for signature (validation), no longer lowercase NSEC rdata, in accordance with RFC 6840, paragraph 5.1. This changes both auth and recursor behaviour, except I think we never consciously sign NSEC records with user generated content. We might lowercase it before we attempt to anyhow.
---

diff --git a/pdns/dnssecinfra.cc b/pdns/dnssecinfra.cc
index d9f2770447..6695a890b9 100644
--- a/pdns/dnssecinfra.cc
+++ b/pdns/dnssecinfra.cc
@@ -365,7 +365,8 @@ string getMessageForRRSET(const DNSName& qname, const RRSIGRecordContent& rrc, v
     toHash.append((char*)&tmp, 2);
     uint32_t ttl=htonl(rrc.d_originalttl);
     toHash.append((char*)&ttl, 4);
-    string rdata=add->serialize(DNSName("."), true, true); 
+    // for NSEC signatures, we should not lowercase the rdata section
+    string rdata=add->serialize(DNSName("."), true, (add->getType() == QType::NSEC) ? false : true);  // RFC 6840, 5.1
     tmp=htons(rdata.length());
     toHash.append((char*)&tmp, 2);
     toHash.append(rdata);