On Tue, Feb 2, 2016 at 11:59 AM, A. Schulze via Unbound-users < unbound-users@unbound.net> wrote:
> > if I disable "use-caps-for-id" I get NXDOMAIN from unbound. > so "caps-whitelist: postbank.de" solved the issue for me. > > Looks like the postbank.de servers aren't performing a proper NSEC3 hash of the mixed-case query name, so the provided closest encloser proof fails: $ dig +noall +authority +dnssec @ns1.postbank.de foobar.pOstbank.de | grep 'IN NSEC3' 8opkcg718inciqib0r7f67m9g4o4gh71.postbank.de. 86400 IN NSEC3 1 0 1 E80EE91FDC6B4795 8OPKCG718INCIQIB0R7F67M9G4O4GH73 v7ec9togm33vtn1pqin295lhh5tufuir.postbank.de. 86400 IN NSEC3 1 0 1 E80EE91FDC6B4795 V7EC9TOGM33VTN1PQIN295LHH5TUFUIS kt61b6gn579tvif3qsltnjg3f1f8umc6.postbank.de. 86400 IN NSEC3 1 0 1 E80EE91FDC6B4795 KT61B6GN579TVIF3QSLTNJG3F1F8UMC8 $ nsec3hash E80EE91FDC6B4795 1 1 pOstbank.de RIN3S92AN87PLVF22QR8PDRD0SA7KI5G (salt=E80EE91FDC6B4795, hash=1, iterations=1) But: $ dig +noall +authority +dnssec @ns1.postbank.de foobar.postbank.de | grep 'IN NSEC3' rin3s92an87plvf22qr8pdrd0sa7ki5g.postbank.de. 86400 IN NSEC3 1 0 1 E80EE91FDC6B4795 RIN3S92AN87PLVF22QR8PDRD0SA7KI5H 33okvta5htf2hmv16mrerpavmogho4ug.postbank.de. 86400 IN NSEC3 1 0 1 E80EE91FDC6B4795 33OKVTA5HTF2HMV16MRERPAVMOGHO4UI 262b532h7r3gsgleslnb9f9fmumi3qb1.postbank.de. 86400 IN NSEC3 1 0 1 E80EE91FDC6B4795 262B532H7R3GSGLESLNB9F9FMUMI3QB3 $ nsec3hash E80EE91FDC6B4795 1 1 postbank.de RIN3S92AN87PLVF22QR8PDRD0SA7KI5G (salt=E80EE91FDC6B4795, hash=1, iterations=1) Cheers, Casey