Maintained by: NLnet Labs

SOLVED: postbank.de / dslbank.de and DNSSEC and DANE

Casey Deccio
Tue Feb 2 19:45:10 CET 2016


On Tue, Feb 2, 2016 at 11:59 AM, A. Schulze via Unbound-users <
unbound-users at unbound.net> wrote:

>
> if I disable "use-caps-for-id" I get NXDOMAIN from unbound.
> so "caps-whitelist: postbank.de" solved the issue for me.
>
>
Looks like the postbank.de servers aren't performing a proper NSEC3 hash of
the mixed-case query name, so the provided closest encloser proof fails:

$ dig +noall +authority +dnssec @ns1.postbank.de foobar.pOstbank.de | grep
'IN NSEC3'
8opkcg718inciqib0r7f67m9g4o4gh71.postbank.de. 86400 IN NSEC3 1 0 1
E80EE91FDC6B4795 8OPKCG718INCIQIB0R7F67M9G4O4GH73
v7ec9togm33vtn1pqin295lhh5tufuir.postbank.de. 86400 IN NSEC3 1 0 1
E80EE91FDC6B4795 V7EC9TOGM33VTN1PQIN295LHH5TUFUIS
kt61b6gn579tvif3qsltnjg3f1f8umc6.postbank.de. 86400 IN NSEC3 1 0 1
E80EE91FDC6B4795 KT61B6GN579TVIF3QSLTNJG3F1F8UMC8
$ nsec3hash E80EE91FDC6B4795 1 1 pOstbank.de
RIN3S92AN87PLVF22QR8PDRD0SA7KI5G (salt=E80EE91FDC6B4795, hash=1,
iterations=1)

But:

$ dig +noall +authority +dnssec @ns1.postbank.de foobar.postbank.de | grep
'IN NSEC3'
rin3s92an87plvf22qr8pdrd0sa7ki5g.postbank.de. 86400 IN NSEC3 1 0 1
E80EE91FDC6B4795 RIN3S92AN87PLVF22QR8PDRD0SA7KI5H
33okvta5htf2hmv16mrerpavmogho4ug.postbank.de. 86400 IN NSEC3 1 0 1
E80EE91FDC6B4795 33OKVTA5HTF2HMV16MRERPAVMOGHO4UI
262b532h7r3gsgleslnb9f9fmumi3qb1.postbank.de. 86400 IN NSEC3 1 0 1
E80EE91FDC6B4795 262B532H7R3GSGLESLNB9F9FMUMI3QB3
$ nsec3hash E80EE91FDC6B4795 1 1 postbank.de
RIN3S92AN87PLVF22QR8PDRD0SA7KI5G (salt=E80EE91FDC6B4795, hash=1,
iterations=1)

Cheers,
Casey
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://unbound.nlnetlabs.nl/pipermail/unbound-users/attachments/20160202/6cca5ad7/attachment.html>