Hi, 

We're using OpenDNSSEC 2.1.12 to sign some of our zones. (I know it's not the 
latest version, but I didn't see anything related to this in the release notes 
from 2.1.12 to 2.1.13). 


We had this kind of records for a subdomain in the parent zone: 

subdomain 21600 IN NS ns1.xxx.net. 
subdomain 21600 IN NS ns2.xxx.net. 
subdomain 900 IN DS 50900 8 2 
d335c87764a7f94753f0eaf489ebb82bedb65068cc96d69c913531905c1f70d0 
subdomain 900 IN DS 50900 8 2 
D335C87764A7F94753F0EAF489EBB82BEDB65068CC96D69C913531905C1F70D0 

Ie, this subdomain had two DS records that were identical, except one was in 
uppercase and one was in lowercase. This caused opendnssec to create a RRSIG 
for subdomain/DS that failed to validate. After we removed this duplicate 
record and asked opendnssec to re-sign the zone, this record still failed to 
validate. opendnssec had actually re-used the signature even though the record 
set changed -> we had to run "ods-signer clear zone" to force a resign. 

Is anybody able to replicate this? 


-- 
Juha Suhonen 
Senior Systems Specialist 
CSC - Tieteen tietotekniikan keskus Oy 
juha.suho...@csc.fi 
_______________________________________________
Opendnssec-user mailing list
Opendnssec-user@lists.opendnssec.org
https://lists.opendnssec.org/mailman/listinfo/opendnssec-user

Reply via email to