search

NLnetLabs / ldns

LDNS is a DNS library that facilitates DNS tool programming
https://nlnetlabs.nl/ldns
BSD 3-Clause "New" or "Revised" License
295 stars 99 forks source link

ldns-signzone handles hostnames case-sensitive, if they include fullstop #111

Closed dilyanpalauzov closed 3 years ago

dilyanpalauzov commented 3 years ago

In the zone for bapha.be I insert

MAA             IN A 127.0.0.1
_caldavs._tcp.MAA       IN SRV 0 1 444 aaa.bapha.be.
                        IN TXT "path=/dav/calendars"

mab             IN A 127.0.0.2
_caldavs._tcp.mab       IN SRV 0 1 444 aaa.bapha.be.
                        IN TXT "path=/dav/calendars"

_caldavs._tcp.MAC       IN SRV 0 1 444 aaa.bapha.be.
                        IN TXT "path=/dav/calendars"
MAC             IN A 127.0.0.3

_caldavs._tcp.mad       IN SRV 0 1 444 aaa.bapha.be.
                        IN TXT "path=/dav/calendars"
mad             IN A 127.0.0.4

_caldavs._tcp.mae       IN SRV 0 1 444 aaa.bapha.be.
                        IN TXT "path=/dav/calendars"
MAE             IN A 127.0.0.5

_CALDAVS._tcp.maf       IN SRV 0 1 444 aaa.bapha.be.
                        IN TXT "path=/dav/calendars"
mag             IN A 127.0.0.6

_caldavs._TCP.mah       IN SRV 0 1 444 aaa.bapha.be.
                        IN TXT "path=/dav/calendars"
mah             IN A 127.0.0.7

_CALDAVS._tcp.mai       IN SRV 0 1 444 aaa.bapha.be.
                        IN TXT "path=/dav/calendars"
mai             IN A 127.0.0.8

_caldavs._tcp.mAj       IN SRV 0 1 444 aaa.bapha.be.
                        IN TXT "path=/dav/calendars"
maj             IN A 127.0.0.9

_caldavs._tcp.mak       IN SRV 0 1 444 aaa.bapha.be.
                        IN TXT "path=/dav/calendars"
maK             IN A 127.0.0.6

and run then ldns-signzone 1.7.1.

Then I validate the NSEC record for maa.bapha.be, mab.bapha.be, mac.bapha.be etc, e.g by visiting https://dns.google.com/query?name=maa.bapha.be&type=txt&dnssec=true

The NSEC record is correct for mab.bapha.be, mad.bapha.be, mae.bapha.be, and mak.bapha.be

The NSEC record is wrong for maa.bapha.be, mac.bapha.be, mag.bapha.be, mah.bapha.be, mai.bapha.be, and maj.bapha.be

My understanding is that the host names in the zone file are always case-insensitive, but ldns-signzone does not think so for addresses with dot.

dilyanpalauzov commented 3 years ago

I generate the keys on one (stealth) server and then push them for publishing on another server. I just found that the publishing server lowercases the hostnames in NSEC RR, while the stealth server announces case-sensitive NSEC records.

That said I think ldns-signzone is correct.