Hello all, dnssec-signzone (BIND 9.12.2) sometimes does lowercase DNSSEC records. This seems a problem especially for NSEC records which are case sensitive. dnssec-verify is moaning with errors like this:
Bad NSEC record for ipad-rigi-2.switch.ch, bit map mismatch Example: dnssec-signzone -o switch.ch. switch.ch Kswitch.ch.+013+44373.private Output, note that ipv4.switch.ch is originally written as IPv4.switch.ch but the DNSSEC records are all in lowercase. ... IPv4.switch.ch. 86400 IN APL 1:0.0.0.0/0 ipv4.switch.ch. 86400 IN RRSIG APL 13 3 86400 20180817132852 20180726134251 44373 switch.ch. mf2CacXrMqsePVoC+WvjX4CHcJBBP6CZPmzl1LXj5X6pNVVb2T7DzzsZ PvvflRNol1sYSyxtn0Tlv8BFqYsISA== ipv4.switch.ch. 180 IN NSEC cam.ipv4.switch.ch. APL RRSIG NSEC ipv4.switch.ch. 180 IN RRSIG NSEC 13 3 180 20180823223316 20180726134251 44373 switch.ch. zxGwOJsnbK4OEDqlyQ/Hxea3m/W2aFwg2OKDos1u6rJNTW64Gp6cg3Ce EiNX3JY9VMsKXAFsGYKjnjtzNM/VEA== ipad-rigi-2.switch.ch. 86400 IN A 130.59.97.30 ipad-rigi-2.switch.ch. 86400 IN RRSIG A 13 3 86400 20180814152223 20180726134251 44373 switch.ch. AsQJ3ONoS19evdbsIf3Xkfs+s66cFc3KVLrTvK3BA1kqZKTKUwdz1iqs vSPVtF7SjcBfVQU71a8FDUtjOfrCtg== ipad-rigi-2.switch.ch. 86400 IN LOC 47 22 23.970 N 8 31 52.201 E 415.00m 1m 10000m 10m ipad-rigi-2.switch.ch. 86400 IN RRSIG LOC 13 3 86400 20180815150750 20180726134251 44373 switch.ch. 1/co/914PvPKscFDM+tveLuywfnnTmkjv8vfZlPUY/wwGWugcDcOMvP4 B2ldHp2T8GPv1cbCSQG1/ibWAbR5WQ== ipad-rigi-2.switch.ch. 180 IN NSEC ipv4.switch.ch. A LOC RRSIG NSEC ... Is this bug related to https://gitlab.isc.org/isc-projects/bind9/issues/420 I guess, I could start to lowercase all owner names or move to NSEC3. I tested both approaches and they work. Daniel _______________________________________________ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list [email protected] https://lists.isc.org/mailman/listinfo/bind-users
