<html><body><div style="font-family: arial, helvetica, sans-serif; font-size: 10pt; color: #000000"><div>Hi,</div><div><br data-mce-bogus="1"></div><div><br data-mce-bogus="1"></div><div>We're using OpenDNSSEC 2.1.12 to sign some of our zones. (I know it's not the latest version, but I didn't see anything related to this in the release notes from 2.1.12 to 2.1.13).</div><div><br data-mce-bogus="1"></div><div><br data-mce-bogus="1"></div><div>We had this kind of records for a subdomain in the parent zone:</div><div><br data-mce-bogus="1"></div><div><div><span style="font-size: 13.3333px;">subdomain<span style="white-space:pre"> </span>21600<span style="white-space:pre"> </span>IN<span style="white-space:pre"> </span>NS<span style="white-space:pre"> </span>ns1.xxx.net.</span></div><div><span style="font-size: 13.3333px;">subdomain<span style="white-space:pre"> </span>21600<span style="white-space:pre"> </span>IN<span style="white-space:pre"> </span>NS<span style="white-space:pre"> </span>ns2.xxx.net.</span><span style="font-size: 13.3333px;"></span></div><div><div style=""><span style="font-size: 13.3333px;">subdomain<span style="white-space: pre;"> </span>900<span style="white-space: pre;"> </span>IN<span style="white-space: pre;"> </span>DS<span style="white-space: pre;"> </span>50900<span style="white-space: pre;"> </span>8<span style="white-space: pre;"> </span>2<span style="white-space: pre;"> </span>d335c87764a7f94753f0eaf489ebb82bedb65068cc96d69c913531905c1f70d0</span></div><div style=""><span style="font-size: 13.3333px;">subdomain<span style="white-space: pre;"> </span>900<span style="white-space: pre;"> </span>IN<span style="white-space: pre;"> </span>DS<span style="white-space: pre;"> </span>50900<span style="white-space: pre;"> </span>8<span style="white-space: pre;"> </span>2<span style="white-space: pre;"> </span>D335C87764A7F94753F0EAF489EBB82BEDB65068CC96D69C913531905C1F70D0</span></div></div><div><span style="font-size: 13.3333px;"><br data-mce-bogus="1"></span></div><div><span style="font-size: 13.3333px;">Ie, this subdomain had two DS records that were identical, except one was in uppercase and one was in lowercase. This caused opendnssec to create a RRSIG for subdomain/DS that failed to validate. </span><span style="font-size: 13.3333px;">After we removed this duplicate record and asked opendnssec to re-sign the zone, this record still failed to validate. opendnssec had actually re-used the signature even though the record set changed -> we had to run "ods-signer clear zone" to force a resign.</span></div><div><br data-mce-bogus="1"></div><div>Is anybody able to replicate this?</div><div><span style="font-size: 13.3333px;"><br data-mce-bogus="1"></span></div><div><span style="font-size: 13.3333px;"><br data-mce-bogus="1"></span></div></div><div data-marker="__SIG_PRE__">-- <br>Juha Suhonen<br>Senior Systems Specialist<br>CSC - Tieteen tietotekniikan keskus Oy<br>juha.suhonen@csc.fi</div></div></body></html>