dnssec-signzone sometimes does lowercase DNSSEC records
Mark Andrews
marka at isc.org
Thu Jul 26 23:35:28 UTC 2018
> On 27 Jul 2018, at 1:34 am, Daniel Stirnimann <daniel.stirnimann at switch.ch> wrote:
>
> Hello all,
>
> dnssec-signzone (BIND 9.12.2) sometimes does lowercase DNSSEC records.
> This seems a problem especially for NSEC records which are case
> sensitive. dnssec-verify is moaning with errors like this:
The case of the names doesn’t matter from a protocol perspective.
> Bad NSEC record for ipad-rigi-2.switch.ch, bit map mismatch
Which is the bit map of types in NSEC record. This should be
independent of the case of the names.
> Example:
>
> dnssec-signzone -o switch.ch. switch.ch Kswitch.ch.+013+44373.private
>
> Output, note that ipv4.switch.ch is originally written as IPv4.switch.ch
> but the DNSSEC records are all in lowercase.
> ...
> IPv4.switch.ch. 86400 IN APL 1:0.0.0.0/0
> ipv4.switch.ch. 86400 IN RRSIG APL 13 3 86400
> 20180817132852 20180726134251 44373 switch.ch.
> mf2CacXrMqsePVoC+WvjX4CHcJBBP6CZPmzl1LXj5X6pNVVb2T7DzzsZ
> PvvflRNol1sYSyxtn0Tlv8BFqYsISA==
> ipv4.switch.ch. 180 IN NSEC cam.ipv4.switch.ch. APL
> RRSIG NSEC
> ipv4.switch.ch. 180 IN RRSIG NSEC 13 3 180
> 20180823223316 20180726134251 44373 switch.ch.
> zxGwOJsnbK4OEDqlyQ/Hxea3m/W2aFwg2OKDos1u6rJNTW64Gp6cg3Ce
> EiNX3JY9VMsKXAFsGYKjnjtzNM/VEA==
> ipad-rigi-2.switch.ch. 86400 IN A 130.59.97.30
> ipad-rigi-2.switch.ch. 86400 IN RRSIG A 13 3 86400
> 20180814152223 20180726134251 44373 switch.ch.
> AsQJ3ONoS19evdbsIf3Xkfs+s66cFc3KVLrTvK3BA1kqZKTKUwdz1iqs
> vSPVtF7SjcBfVQU71a8FDUtjOfrCtg==
> ipad-rigi-2.switch.ch. 86400 IN LOC 47 22 23.970 N 8 31
> 52.201 E 415.00m 1m 10000m 10m
> ipad-rigi-2.switch.ch. 86400 IN RRSIG LOC 13 3 86400
> 20180815150750 20180726134251 44373 switch.ch.
> 1/co/914PvPKscFDM+tveLuywfnnTmkjv8vfZlPUY/wwGWugcDcOMvP4
> B2ldHp2T8GPv1cbCSQG1/ibWAbR5WQ==
> ipad-rigi-2.switch.ch. 180 IN NSEC ipv4.switch.ch. A
> LOC RRSIG NSEC
> ...
>
>
> Is this bug related to https://gitlab.isc.org/isc-projects/bind9/issues/420
>
> I guess, I could start to lowercase all owner names or move to NSEC3. I
> tested both approaches and they work.
or just turn off the added internal verification step until the issue with it is fixed.
dnssec-signzone -P
Can you file a bug report please.
Mark
> Daniel
> _______________________________________________
> Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list
>
> bind-users mailing list
> bind-users at lists.isc.org
> https://lists.isc.org/mailman/listinfo/bind-users
--
Mark Andrews, ISC
1 Seymour St., Dundas Valley, NSW 2117, Australia
PHONE: +61 2 9871 4742 INTERNET: marka at isc.org
More information about the bind-users
mailing list