dnssec-signzone sometimes does lowercase DNSSEC records

Mark Andrews marka at isc.org
Thu Jul 26 23:35:28 UTC 2018 


> On 27 Jul 2018, at 1:34 am, Daniel Stirnimann <daniel.stirnimann at switch.ch> wrote:
> 
> Hello all,
> 
> dnssec-signzone (BIND 9.12.2) sometimes does lowercase DNSSEC records.
> This seems a problem especially for NSEC records which are case
> sensitive. dnssec-verify is moaning with errors like this:

The case of the names doesn’t matter from a protocol perspective.

> Bad NSEC record for ipad-rigi-2.switch.ch, bit map mismatch

Which is the bit map of types in NSEC record.  This should be
independent of the case of the names.

> Example:
> 
> dnssec-signzone -o switch.ch. switch.ch Kswitch.ch.+013+44373.private
> 
> Output, note that ipv4.switch.ch is originally written as IPv4.switch.ch
> but the DNSSEC records are all in lowercase.
> ...
> IPv4.switch.ch.                   86400 IN APL  1:0.0.0.0/0
> ipv4.switch.ch.                   86400 IN RRSIG    APL 13 3 86400
> 20180817132852 20180726134251 44373 switch.ch.
> mf2CacXrMqsePVoC+WvjX4CHcJBBP6CZPmzl1LXj5X6pNVVb2T7DzzsZ
> PvvflRNol1sYSyxtn0Tlv8BFqYsISA==
> ipv4.switch.ch.                   180 IN NSEC   cam.ipv4.switch.ch. APL
> RRSIG NSEC
> ipv4.switch.ch.                   180 IN RRSIG  NSEC 13 3 180
> 20180823223316 20180726134251 44373 switch.ch.
> zxGwOJsnbK4OEDqlyQ/Hxea3m/W2aFwg2OKDos1u6rJNTW64Gp6cg3Ce
> EiNX3JY9VMsKXAFsGYKjnjtzNM/VEA==
> ipad-rigi-2.switch.ch.                86400 IN A    130.59.97.30
> ipad-rigi-2.switch.ch.                86400 IN RRSIG    A 13 3 86400
> 20180814152223 20180726134251 44373 switch.ch.
> AsQJ3ONoS19evdbsIf3Xkfs+s66cFc3KVLrTvK3BA1kqZKTKUwdz1iqs
> vSPVtF7SjcBfVQU71a8FDUtjOfrCtg==
> ipad-rigi-2.switch.ch.                86400 IN LOC  47 22 23.970 N 8 31
> 52.201 E 415.00m 1m 10000m 10m
> ipad-rigi-2.switch.ch.                86400 IN RRSIG    LOC 13 3 86400
> 20180815150750 20180726134251 44373 switch.ch.
> 1/co/914PvPKscFDM+tveLuywfnnTmkjv8vfZlPUY/wwGWugcDcOMvP4
> B2ldHp2T8GPv1cbCSQG1/ibWAbR5WQ==
> ipad-rigi-2.switch.ch.                180 IN NSEC   ipv4.switch.ch. A
> LOC RRSIG NSEC
> ...
> 
> 
> Is this bug related to https://gitlab.isc.org/isc-projects/bind9/issues/420
> 
> I guess, I could start to lowercase all owner names or move to NSEC3. I
> tested both approaches and they work.

or just turn off the added internal verification step until the issue with it is fixed.

dnssec-signzone -P

Can you file a bug report please.

Mark

> Daniel
> _______________________________________________
> Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list
> 
> bind-users mailing list
> bind-users at lists.isc.org
> https://lists.isc.org/mailman/listinfo/bind-users

-- 
Mark Andrews, ISC
1 Seymour St., Dundas Valley, NSW 2117, Australia
PHONE: +61 2 9871 4742              INTERNET: marka at isc.org

More information about the bind-users mailing list