[Opendnssec-user] Opendnssec creates signatures that fail validation when subdomain has multiple almost-identical DS records
Juha Suhonen
juha.suhonen at csc.fi
Sun May 19 17:14:18 UTC 2024
Hi,
We're using OpenDNSSEC 2.1.12 to sign some of our zones. (I know it's not the latest version, but I didn't see anything related to this in the release notes from 2.1.12 to 2.1.13).
We had this kind of records for a subdomain in the parent zone:
subdomain 21600 IN NS ns1.xxx.net.
subdomain 21600 IN NS ns2.xxx.net.
subdomain 900 IN DS 50900 8 2 d335c87764a7f94753f0eaf489ebb82bedb65068cc96d69c913531905c1f70d0
subdomain 900 IN DS 50900 8 2 D335C87764A7F94753F0EAF489EBB82BEDB65068CC96D69C913531905C1F70D0
Ie, this subdomain had two DS records that were identical, except one was in uppercase and one was in lowercase. This caused opendnssec to create a RRSIG for subdomain/DS that failed to validate. After we removed this duplicate record and asked opendnssec to re-sign the zone, this record still failed to validate. opendnssec had actually re-used the signature even though the record set changed -> we had to run "ods-signer clear zone" to force a resign.
Is anybody able to replicate this?
--
Juha Suhonen
Senior Systems Specialist
CSC - Tieteen tietotekniikan keskus Oy
juha.suhonen at csc.fi
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.opendnssec.org/pipermail/opendnssec-user/attachments/20240519/be5a9de9/attachment.htm>
More information about the Opendnssec-user
mailing list