Maintained by: NLnet Labs

[Unbound-users] [nsd-users] ldns (DNSSEC) and case-sensivity

Paul Wouters
Thu Oct 27 22:29:51 CEST 2011


On Thu, 27 Oct 2011, Michael Tokarev wrote:

> I debugged an issue for quite some time, when I wasn't
> able to set up DNSSEC (island of security) with unbound
> and NSD for any reverse (in-addr.arpa) zone, but it all
> worked just fine for any forward zone.
>
> unbound refused to validate any record from zones in
> question, giving the following messages:
>
> info: validator: inform_super, sub is 168.192.in-addr.arpa. DNSKEY IN
> info: super is 168.192.in-addr.arpa. SOA IN
> debug: attempt DS match algo 7 keytag 24900
> debug: DS match digest ok, trying signature
> debug: verify: signature mismatch
> debug: rrset failed to verify: all signatures are bogus
> debug: Failed to match any usable anchor to a DNSKEY.
> info: validate keys with anchor(DS): sec_status_bogus
> info: failed to prime trust anchor -- DNSKEY rrset is not secure 168.192.in-addr.arpa. DNSKEY IN
>
> I asked in #unbound on freenode, but noticed that IN-ADDR.ARPA
> in the $ORIGIN line is written in UPPER-case, while all the rest
> uses lowercase.
>
> So I tried lowercasing it, and voila, everything worked.

Do you run unbound with use-caps-for-id: yes ? Some name servers don't handle that properly.

> I'm using command-line ldns tools to perform the signing, --
> ldns-keygen, ldns-signzone etc.

There is an ldns mailing list at  ldns-users at open.nlnetlabs.nl

Paul