From juha.suhonen at csc.fi Sun May 19 17:14:18 2024 From: juha.suhonen at csc.fi (Juha Suhonen) Date: Sun, 19 May 2024 20:14:18 +0300 (EEST) Subject: [Opendnssec-user] Opendnssec creates signatures that fail validation when subdomain has multiple almost-identical DS records Message-ID: <1334628304.40694324.1716138858110.JavaMail.zimbra@csc.fi> Hi, We're using OpenDNSSEC 2.1.12 to sign some of our zones. (I know it's not the latest version, but I didn't see anything related to this in the release notes from 2.1.12 to 2.1.13). We had this kind of records for a subdomain in the parent zone: subdomain 21600 IN NS ns1.xxx.net. subdomain 21600 IN NS ns2.xxx.net. subdomain 900 IN DS 50900 8 2 d335c87764a7f94753f0eaf489ebb82bedb65068cc96d69c913531905c1f70d0 subdomain 900 IN DS 50900 8 2 D335C87764A7F94753F0EAF489EBB82BEDB65068CC96D69C913531905C1F70D0 Ie, this subdomain had two DS records that were identical, except one was in uppercase and one was in lowercase. This caused opendnssec to create a RRSIG for subdomain/DS that failed to validate. After we removed this duplicate record and asked opendnssec to re-sign the zone, this record still failed to validate. opendnssec had actually re-used the signature even though the record set changed -> we had to run "ods-signer clear zone" to force a resign. Is anybody able to replicate this? -- Juha Suhonen Senior Systems Specialist CSC - Tieteen tietotekniikan keskus Oy juha.suhonen at csc.fi -------------- next part -------------- An HTML attachment was scrubbed... URL: