Hi,
We're using OpenDNSSEC 2.1.12 to sign some of our zones. (I know it's not the latest version, but I didn't see anything related to this in the release notes from 2.1.12 to 2.1.13). We had this kind of records for a subdomain in the parent zone: subdomain 21600 IN NS ns1.xxx.net. subdomain 21600 IN NS ns2.xxx.net. subdomain 900 IN DS 50900 8 2 d335c87764a7f94753f0eaf489ebb82bedb65068cc96d69c913531905c1f70d0 subdomain 900 IN DS 50900 8 2 D335C87764A7F94753F0EAF489EBB82BEDB65068CC96D69C913531905C1F70D0 Ie, this subdomain had two DS records that were identical, except one was in uppercase and one was in lowercase. This caused opendnssec to create a RRSIG for subdomain/DS that failed to validate. After we removed this duplicate record and asked opendnssec to re-sign the zone, this record still failed to validate. opendnssec had actually re-used the signature even though the record set changed -> we had to run "ods-signer clear zone" to force a resign. Is anybody able to replicate this? -- Juha Suhonen Senior Systems Specialist CSC - Tieteen tietotekniikan keskus Oy juha.suho...@csc.fi
_______________________________________________ Opendnssec-user mailing list Opendnssec-user@lists.opendnssec.org https://lists.opendnssec.org/mailman/listinfo/opendnssec-user