It appears that the equality tests for SIGBase and NSEC are comparing the respective signer and next fields with case insensitivity, as other RR types that include names. However, this is incorrect canonicalization behavior, according to DNSSEC-bis (Section 5.1):
http://datatracker.ietf.org/doc/draft-ietf-dnsext-dnssec-bis-updates/?include_text=1 This also means that the same RRSIG covering two NSEC RRs, differing only by next field, will have two different validation results. Would it be possible to remove the case insensitive comparison in these fields? Thanks, Casey _______________________________________________ dnspython-bugs mailing list [email protected] http://howl.play-bow.org/mailman/listinfo.cgi/dnspython-bugs
