Closed dilyanpalauzov closed 3 years ago
I generate the keys on one (stealth) server and then push them for publishing on another server. I just found that the publishing server lowercases the hostnames in NSEC RR, while the stealth server announces case-sensitive NSEC records.
That said I think ldns-signzone is correct.
In the zone for bapha.be I insert
and run then ldns-signzone 1.7.1.
Then I validate the NSEC record for maa.bapha.be, mab.bapha.be, mac.bapha.be etc, e.g by visiting https://dns.google.com/query?name=maa.bapha.be&type=txt&dnssec=true
The NSEC record is correct for mab.bapha.be, mad.bapha.be, mae.bapha.be, and mak.bapha.be
The NSEC record is wrong for maa.bapha.be, mac.bapha.be, mag.bapha.be, mah.bapha.be, mai.bapha.be, and maj.bapha.be
My understanding is that the host names in the zone file are always case-insensitive, but ldns-signzone does not think so for addresses with dot.