Maintained by: NLnet Labs

[Unbound-users] ldns (DNSSEC) and case-sensivity

Michael Tokarev
Thu Oct 27 21:57:28 CEST 2011


I debugged an issue for quite some time, when I wasn't
able to set up DNSSEC (island of security) with unbound
and NSD for any reverse (in-addr.arpa) zone, but it all
worked just fine for any forward zone.

unbound refused to validate any record from zones in
question, giving the following messages:

 info: validator: inform_super, sub is 168.192.in-addr.arpa. DNSKEY IN
 info: super is 168.192.in-addr.arpa. SOA IN
 debug: attempt DS match algo 7 keytag 24900
 debug: DS match digest ok, trying signature
 debug: verify: signature mismatch
 debug: rrset failed to verify: all signatures are bogus
 debug: Failed to match any usable anchor to a DNSKEY.
 info: validate keys with anchor(DS): sec_status_bogus
 info: failed to prime trust anchor -- DNSKEY rrset is not secure 168.192.in-addr.arpa. DNSKEY IN

I asked in #unbound on freenode, but noticed that IN-ADDR.ARPA
in the $ORIGIN line is written in UPPER-case, while all the rest
uses lowercase.

So I tried lowercasing it, and voila, everything worked.

I'm using command-line ldns tools to perform the signing, --
ldns-keygen, ldns-signzone etc.

So if any of you happen to do the same (sort-of-insane)
thing, please use lowercase chars in zone origins, or
else the resulting signed zone will not validate.

Using unbound-1.4.12, nsd 3.2.5, and ldnsutils 1.6.10.

Posted to both unbound and nsd since I'm subscribed to both
and don't know if there's special ldns mailinglist for this,
and since the problem will be seen as failure to verify zone,
so will appear like unbound-related.

Thanks,

/mjt