Daniel Stirnimann
2018-07-26 15:34:07 UTC
Hello all,
dnssec-signzone (BIND 9.12.2) sometimes does lowercase DNSSEC records.
This seems a problem especially for NSEC records which are case
sensitive. dnssec-verify is moaning with errors like this:
Bad NSEC record for ipad-rigi-2.switch.ch, bit map mismatch
Example:
dnssec-signzone -o switch.ch. switch.ch Kswitch.ch.+013+44373.private
Output, note that ipv4.switch.ch is originally written as IPv4.switch.ch
but the DNSSEC records are all in lowercase.
...
IPv4.switch.ch. 86400 IN APL 1:0.0.0.0/0
ipv4.switch.ch. 86400 IN RRSIG APL 13 3 86400
20180817132852 20180726134251 44373 switch.ch.
mf2CacXrMqsePVoC+WvjX4CHcJBBP6CZPmzl1LXj5X6pNVVb2T7DzzsZ
PvvflRNol1sYSyxtn0Tlv8BFqYsISA==
ipv4.switch.ch. 180 IN NSEC cam.ipv4.switch.ch. APL
RRSIG NSEC
ipv4.switch.ch. 180 IN RRSIG NSEC 13 3 180
20180823223316 20180726134251 44373 switch.ch.
zxGwOJsnbK4OEDqlyQ/Hxea3m/W2aFwg2OKDos1u6rJNTW64Gp6cg3Ce
EiNX3JY9VMsKXAFsGYKjnjtzNM/VEA==
ipad-rigi-2.switch.ch. 86400 IN A 130.59.97.30
ipad-rigi-2.switch.ch. 86400 IN RRSIG A 13 3 86400
20180814152223 20180726134251 44373 switch.ch.
AsQJ3ONoS19evdbsIf3Xkfs+s66cFc3KVLrTvK3BA1kqZKTKUwdz1iqs
vSPVtF7SjcBfVQU71a8FDUtjOfrCtg==
ipad-rigi-2.switch.ch. 86400 IN LOC 47 22 23.970 N 8 31
52.201 E 415.00m 1m 10000m 10m
ipad-rigi-2.switch.ch. 86400 IN RRSIG LOC 13 3 86400
20180815150750 20180726134251 44373 switch.ch.
1/co/914PvPKscFDM+tveLuywfnnTmkjv8vfZlPUY/wwGWugcDcOMvP4
B2ldHp2T8GPv1cbCSQG1/ibWAbR5WQ==
ipad-rigi-2.switch.ch. 180 IN NSEC ipv4.switch.ch. A
LOC RRSIG NSEC
...
Is this bug related to https://gitlab.isc.org/isc-projects/bind9/issues/420
I guess, I could start to lowercase all owner names or move to NSEC3. I
tested both approaches and they work.
Daniel
_______________________________________________
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list
bind-users mailing list
bind-***@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users
dnssec-signzone (BIND 9.12.2) sometimes does lowercase DNSSEC records.
This seems a problem especially for NSEC records which are case
sensitive. dnssec-verify is moaning with errors like this:
Bad NSEC record for ipad-rigi-2.switch.ch, bit map mismatch
Example:
dnssec-signzone -o switch.ch. switch.ch Kswitch.ch.+013+44373.private
Output, note that ipv4.switch.ch is originally written as IPv4.switch.ch
but the DNSSEC records are all in lowercase.
...
IPv4.switch.ch. 86400 IN APL 1:0.0.0.0/0
ipv4.switch.ch. 86400 IN RRSIG APL 13 3 86400
20180817132852 20180726134251 44373 switch.ch.
mf2CacXrMqsePVoC+WvjX4CHcJBBP6CZPmzl1LXj5X6pNVVb2T7DzzsZ
PvvflRNol1sYSyxtn0Tlv8BFqYsISA==
ipv4.switch.ch. 180 IN NSEC cam.ipv4.switch.ch. APL
RRSIG NSEC
ipv4.switch.ch. 180 IN RRSIG NSEC 13 3 180
20180823223316 20180726134251 44373 switch.ch.
zxGwOJsnbK4OEDqlyQ/Hxea3m/W2aFwg2OKDos1u6rJNTW64Gp6cg3Ce
EiNX3JY9VMsKXAFsGYKjnjtzNM/VEA==
ipad-rigi-2.switch.ch. 86400 IN A 130.59.97.30
ipad-rigi-2.switch.ch. 86400 IN RRSIG A 13 3 86400
20180814152223 20180726134251 44373 switch.ch.
AsQJ3ONoS19evdbsIf3Xkfs+s66cFc3KVLrTvK3BA1kqZKTKUwdz1iqs
vSPVtF7SjcBfVQU71a8FDUtjOfrCtg==
ipad-rigi-2.switch.ch. 86400 IN LOC 47 22 23.970 N 8 31
52.201 E 415.00m 1m 10000m 10m
ipad-rigi-2.switch.ch. 86400 IN RRSIG LOC 13 3 86400
20180815150750 20180726134251 44373 switch.ch.
1/co/914PvPKscFDM+tveLuywfnnTmkjv8vfZlPUY/wwGWugcDcOMvP4
B2ldHp2T8GPv1cbCSQG1/ibWAbR5WQ==
ipad-rigi-2.switch.ch. 180 IN NSEC ipv4.switch.ch. A
LOC RRSIG NSEC
...
Is this bug related to https://gitlab.isc.org/isc-projects/bind9/issues/420
I guess, I could start to lowercase all owner names or move to NSEC3. I
tested both approaches and they work.
Daniel
_______________________________________________
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list
bind-users mailing list
bind-***@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users