On 03/26/2018 02:05 PM, Richard Gibson wrote: > TSIGs cover "A whole and complete DNS message in wire format, before the > TSIG RR has been added to the additional data section and before the DNS > Message Header's ARCOUNT field has been incremented to contain the TSIG > RR" (RFC 2845 section 3.4.1), and would therefore be sensitive to > decompression. >
I'll go through the TSIG specification in-depth tomorrow, but is that actually a problem? More specifically, is there a case where a DNS server is signing TSIG records when it doesn't control the wire representation of what's being sent? If it is, then that's a rather large one. I brought up RRSIG came to mind because a DNS server may be relaying information it's unable to change/modify (i.e., a signed zone with a MAILA record). Since RRSIGs sign the canonical form of the record, the actual wire representation shouldn't matter if I understand the spec correctly (i.e. compressed/decompressed); an uncompressed MAILA record would essentially be equivalent to any other RFC 3597 record. If I'm completely off base here, let me know. I'll follow up with my findings, but I'm guessing someone will beat me to it. Michael _______________________________________________ DNSOP mailing list DNSOP@ietf.org https://www.ietf.org/mailman/listinfo/dnsop
