kzonecheck fails on case-sensitivity of owner names in NSEC records
kzonecheck fails on case-sensitivity of owner names in NSEC records.
Tested versions: 2.9.6/2.9.7/3.0.1
The following error message appears "incoherent NSEC chain".
Steps to reproduce
create key
dnssec-keygen -a ECDSAP256SHA256 -f KSK foo.
Generating key pair.
Kfoo.+013+17470create zone
Note, the capital letters "NEW".
$TTL 86400 ; (1 day)
$ORIGIN foo.
@ IN SOA ns1.foo. hostmaster.foo. (
1 ; serial
14400 ; refresh (4 hours)
1800 ; retry (30 minutes)
1209600 ; expire (2 weeks)
3600 ; minimum (1 hour)
)
IN NS ns1.example.com.
IN NS ns2.example.com.
IN A 203.0.113.10
IN AAAA 2001:DB8:BEEF:113::10
www-NEW IN CNAME example.com.
$INCLUDE Kfoo.+013+17470.keysign zone
dnssec-signzone -o foo. -O full -P -t -x -z foo.zone Kfoo.+013+17470.private
foo.zone.signed
Signatures generated: 8
Signatures retained: 0
Signatures dropped: 0
Signatures successfully verified: 0
Signatures unsuccessfully verified: 0
Signing time in seconds: 0.001
Signatures per second: 5021.971
Runtime in seconds: 0.005verify zone with kzonecheck
Version used
kzonecheck -V
kzonecheck (Knot DNS), version 3.0.1kzonecheck -o foo. foo.zone.signed
[foo.] incoherent NSEC chain
[www-new.foo.] incoherent NSEC chain
Error summary:
2 incoherent NSEC chainAs a reference, signed zone file which contains www-NEW.foo. in capital letters
cat foo.zone.signed
; File written on Tue Nov 3 17:11:16 2020
; dnssec_signzone version 9.16.8
foo. 86400 IN SOA ns1.foo. hostmaster.foo. 1 14400 1800 1209600 3600
foo. 86400 IN RRSIG SOA 13 1 86400 20201203151116 20201103151116 17470 foo. 0cjFMPyfCO9V+hjuLm5Ank5CTOXXR3Wpbon2tUDGYHolGfwclmXUPRW2 yD4ybRo9/87VYTR5XBFTXc6OdLJPCg==
; resign=20201203151116
foo. 86400 IN NS ns1.example.com.
foo. 86400 IN NS ns2.example.com.
foo. 86400 IN RRSIG NS 13 1 86400 20201203151116 20201103151116 17470 foo. P5Vettob2iwqApHhZ5fdfcez7k2lPtBKjyTZEHm0QOziEYfCuXptrKpZ 7Q3gitOpDZQcXlXQ6BSFn3b/sLAPIw==
; resign=20201203151116
foo. 86400 IN A 203.0.113.10
foo. 86400 IN RRSIG A 13 1 86400 20201203151116 20201103151116 17470 foo. cXno7F2TDqKbJLY07wG8nFECIAxh3DpoxSVVpFGgbjyV4QXq5YBmL2xb mmCs55wvlq58dkb1tbaWncoCs03jGA==
; resign=20201203151116
foo. 86400 IN AAAA 2001:db8:beef:113::10
foo. 86400 IN RRSIG AAAA 13 1 86400 20201203151116 20201103151116 17470 foo. hzE6R1NnqWu9fUreeZj6QODjSl1ausDz3tZqnRaRp/KTCW8+HJxJJy4q geN6k7A0TOM7izvyd5dZAY6IZ+9Fbg==
; resign=20201203151116
foo. 3600 IN NSEC www-NEW.foo. A NS SOA AAAA RRSIG NSEC DNSKEY
foo. 3600 IN RRSIG NSEC 13 1 3600 20201203151116 20201103151116 17470 foo. es2cO3/dIO8/SbD5YyoYwpZff2O1LS6S0L6XyomKl3aQHIRyXEQskxX1 21KY3SmDEs8ifb4xxB9WxniZ+CsOgw==
; resign=20201203151116
foo. 86400 IN DNSKEY 257 3 13 wWp1TLQRFkBQyzKVxL7cKoKdph0PwUBrgYguZt3LmxeOuLMEVvnU1UrB vcFWbQvDZRR3l7AvvyMqkbz31CaZNA==
foo. 86400 IN RRSIG DNSKEY 13 1 86400 20201203151116 20201103151116 17470 foo. cjl9vK3whVGaWpmq3pKV8cDjLJPwrm4cbJEO+93f0DLUZXBsDCEmetj2 wsSo90tCQG+rmsAo3PR0iTItgjmZ5w==
; resign=20201203151116
www-NEW.foo. 86400 IN CNAME example.com.
www-NEW.foo. 86400 IN RRSIG CNAME 13 2 86400 20201203151116 20201103151116 17470 foo. OyAEfGB5h5xS2MroKW8qpIhvJSbpP6GCT1mZipoSQDu3WRMNw1P7sVT5 q75NqTgiB/LNwyd9BWQ2gC/a9lWk/Q==
; resign=20201203151116
www-NEW.foo. 3600 IN NSEC foo. CNAME RRSIG NSEC
www-NEW.foo. 3600 IN RRSIG NSEC 13 2 3600 20201203151116 20201103151116 17470 foo. T//2Y56YYvWCXE6oeR0RrBEnsjBVE1nKkc0ogWe15GlbeCGdVsEKymn2 mTb1+I3Vvhv/e57nCKoPdgxcB8IrNA==
; resign=20201203151116