RFC 3110, "RSA/SHA-1 SIGs and RSA KEYs in the Domain Name System (DNS)", May 2001Source of RFC: dnsext (int)
See Also: RFC 3110 w/ inline errata
Errata ID: 2811
Publication Format(s) : TEXT
Reported By: George Barwood
Date Reported: 2011-05-21
Verifier Name: Brian Haberman
Date Verified: 2012-05-01
Section 3 says:
Leading zero bytes are permitted in the RSA/SHA1 algorithm signature.
It should say:
Leading zero bytes MUST be added to the RSA/SHA1 algorithm signature so that the signature size in bytes is equal to the size of n in bytes.
The Original Text implies that zero-padding of RSA signaturs is optional, however the underlying standard requires zero padding, http://tools.ietf.org/html/rfc2437#section-8.1.1
"4. Convert the signature representative s to a signature S of length k octets: S = I2OSP (s, k)"
where k is the length of the modulus in bytes. If the extra bytes are not added, standard RSA libraries will fail to verify the signature about 1% of the time when the padding occurs.