> On 27 Jul 2018, at 1:34 am, Daniel Stirnimann <daniel.stirnim...@switch.ch> > wrote: > > Hello all, > > dnssec-signzone (BIND 9.12.2) sometimes does lowercase DNSSEC records. > This seems a problem especially for NSEC records which are case > sensitive. dnssec-verify is moaning with errors like this:
The case of the names doesn’t matter from a protocol perspective. > Bad NSEC record for ipad-rigi-2.switch.ch, bit map mismatch Which is the bit map of types in NSEC record. This should be independent of the case of the names. > Example: > > dnssec-signzone -o switch.ch. switch.ch Kswitch.ch.+013+44373.private > > Output, note that ipv4.switch.ch is originally written as IPv4.switch.ch > but the DNSSEC records are all in lowercase. > ... > IPv4.switch.ch. 86400 IN APL 1:0.0.0.0/0 > ipv4.switch.ch. 86400 IN RRSIG APL 13 3 86400 > 20180817132852 20180726134251 44373 switch.ch. > mf2CacXrMqsePVoC+WvjX4CHcJBBP6CZPmzl1LXj5X6pNVVb2T7DzzsZ > PvvflRNol1sYSyxtn0Tlv8BFqYsISA== > ipv4.switch.ch. 180 IN NSEC cam.ipv4.switch.ch. APL > RRSIG NSEC > ipv4.switch.ch. 180 IN RRSIG NSEC 13 3 180 > 20180823223316 20180726134251 44373 switch.ch. > zxGwOJsnbK4OEDqlyQ/Hxea3m/W2aFwg2OKDos1u6rJNTW64Gp6cg3Ce > EiNX3JY9VMsKXAFsGYKjnjtzNM/VEA== > ipad-rigi-2.switch.ch. 86400 IN A 130.59.97.30 > ipad-rigi-2.switch.ch. 86400 IN RRSIG A 13 3 86400 > 20180814152223 20180726134251 44373 switch.ch. > AsQJ3ONoS19evdbsIf3Xkfs+s66cFc3KVLrTvK3BA1kqZKTKUwdz1iqs > vSPVtF7SjcBfVQU71a8FDUtjOfrCtg== > ipad-rigi-2.switch.ch. 86400 IN LOC 47 22 23.970 N 8 31 > 52.201 E 415.00m 1m 10000m 10m > ipad-rigi-2.switch.ch. 86400 IN RRSIG LOC 13 3 86400 > 20180815150750 20180726134251 44373 switch.ch. > 1/co/914PvPKscFDM+tveLuywfnnTmkjv8vfZlPUY/wwGWugcDcOMvP4 > B2ldHp2T8GPv1cbCSQG1/ibWAbR5WQ== > ipad-rigi-2.switch.ch. 180 IN NSEC ipv4.switch.ch. A > LOC RRSIG NSEC > ... > > > Is this bug related to https://gitlab.isc.org/isc-projects/bind9/issues/420 > > I guess, I could start to lowercase all owner names or move to NSEC3. I > tested both approaches and they work. or just turn off the added internal verification step until the issue with it is fixed. dnssec-signzone -P Can you file a bug report please. Mark > Daniel > _______________________________________________ > Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe > from this list > > bind-users mailing list > bind-users@lists.isc.org > https://lists.isc.org/mailman/listinfo/bind-users -- Mark Andrews, ISC 1 Seymour St., Dundas Valley, NSW 2117, Australia PHONE: +61 2 9871 4742 INTERNET: ma...@isc.org _______________________________________________ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users