Is NSEC case sensitive while being signed?

nospam.d.lca at nospam.d.lca at
Tue Mar 11 20:11:53 UTC 2008

Thank you for the answer, but I have a follow up question.  I don't
quite understand the reason for making NSEC and RRSIG case
sensitive.    Do you mind elaborating a little bit?


On Mar 11, 8:05 am, Matthew Pounsett <m... at> wrote:
> On 10-Mar-2008, at 19:03 , nospam.d.... at wrote:
> > I am using dnssec-signzone from BIND 9.5.0b2.  It seems that if I
> > change the case of the next domain name in the RDATA of NSEC record,
> > the signature in RRSIG for the NSEC record will change.
> > Does this mean that next domain name in NSEC is case sensitive, or did
> > I make some mistake in my experiment?
> Yes, NSEC is case sensitive.  The block of text Mark meant to direct  
> you to is section 2.5 of <
>  >, which is a list of clarifications of previous DNSSEC documents.
> Specifically,
>            When canonicalizing DNS names, DNS names in the RDATA  
> section of NSEC
>            and RRSIG resource records are not downcased.
>            [RFC4034] Section 6.2 item 3 has a list of resource record  
> types for
>            which DNS names in the RDATA are downcased for purposes of  
>            canonical form (for both ordering and signing). That list
>            erroneously contains NSEC and RRSIG. According to  
> [RFC3755], DNS
>            names in the RDATA of NSEC and RRSIG should not be downcased.

More information about the bind-users mailing list