blank.gif (43 bytes)

Church Of The
Swimming Elephant

4.1.1 Signature Data Connected: An Internet Encyclopedia
4.1.1 Signature Data

Up: Connected: An Internet Encyclopedia
Up: Requests For Comments
Up: RFC 2065
Up: 4. The SIG Resource Record
Up: 4.1 SIG RDATA Format
Prev: 4.1 SIG RDATA Format
Next: 4.1.2 MD5/RSA Algorithm Signature Calculation

4.1.1 Signature Data

4.1.1 Signature Data

Except for algorithm number 253 where it is null, the actual signature portion of the SIG RR binds the other RDATA fields to all of the "type covered" RRs with that owner name and class. These covered RRs are thereby authenticated. To accomplish this, a data sequence is constructed as follows:

           data = RDATA | RR(s)...

where "|" is concatenation, RDATA is all the RDATA fields in the SIG RR itself before and not including the signature, and RR(s) are all the RR(s) of the type covered with the same owner name and class as the SIG RR in canonical form and order. How this data sequence is processed into the signature is algorithm dependent.

For purposes of DNS security, the canonical form for an RR is the RR with domain names (1) fully expanded (no name compression via pointers), (2) all domain name letters set to lower case, and (3) the original TTL substituted for the current TTL.

For purposes of DNS security, the canonical order for RRs is to sort them in ascending order by name, considering labels as a left justified unsigned octet sequence in network (transmission) order where a missing octet sorts before a zero octet. (See also ordering discussion in Section 5.1.) Within any particular name they are similarly sorted by type and then RDATA as a left justified unsigned octet sequence. EXCEPT that the type SIG RR(s) covering any particular type appear immediately after the other RRs of that type. (This special consideration for SIG RR(s) in ordering really only applies to calculating the AXFR SIG RR as explained in section 4.1.3 below.) Thus if at name a.b there are two A RRs and one KEY RR, their order with SIGs for concatenating the "data" to be signed would be as follows:

           a.b.  A ....
           a.b.  A ....
           a.b.  SIG A ...
           a.b.  KEY ...
           a.b.  SIG KEY ...

SIGs covering type ANY should not be included in a zone.

Next: 4.1.2 MD5/RSA Algorithm Signature Calculation

Connected: An Internet Encyclopedia
4.1.1 Signature Data


Protect yourself from cyberstalkers, identity thieves, and those who would snoop on you.
Stop spam from invading your inbox without losing the mail you want. We give you more control over your e-mail than any other service.
Block popups, ads, and malicious scripts while you surf the net through our anonymous proxies.
Participate in Usenet, host your web files, easily send anonymous messages, and more, much more.
All private, all encrypted, all secure, all in an easy to use service, and all for only $5.95 a month!

Service Details

Have you gone to church today?
All pages 1999, 2000, 2001, 2002, 2003 Church of the Swimming Elephant unless otherwise stated
Church of the Swimming Elephant1999, 2000, 2001, 2002, 2003 is a wholly owned subsidiary of Packetderm, LLC.

Packetderm, LLC
210 Park Ave #308
Worcester, MA 01609