Invalid DNSSEC signatures for empty responses with DNS 0x20 #5546
Labels
Comments
Hello @jsha, thank you for your report! This was fixed in git master by Will leave this open for a bit in case somebody has conflicting experiences. |
Thanks for the prompt response! I'll convey this to the affected parties and see if upgrading helps. |
I've gotten one report from an affected party that upgrading to 4.0.4 fixed it. Closing. Thanks again. As an FYI I've requested Ubuntu backport the fix into Xenial, and a helpful community member has filed a similar bug for Debian. |
Those PR numbers were wrong. The backport is b91cfe5 |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
At Let's Encrypt, we use an Unbound recursive resolver with DNSSEC validation enabled, and DNS 0x20 (use-caps-for-id in unbound). We've gotten reports of problems from a couple of users who have PowerDNS as their authoritative resolvers:
https://community.letsencrypt.org/t/powerdns-cant-find-why-caa-servfails/38127
https://community.letsencrypt.org/t/help-diagnosing-caa-failures-ns1-cyso-nl/38461
Specifically, it seems that DNSSEC validation fails when a mixed-case query is made and the response is empty. There's some plausible speculation on our forum and on the unbound-users mailing list that this is because PowerDNS is signing a response containing the mixed-case qname, rather than downcasing before signing.
Caching seems to play a confounding role: If a downcased CAA query was sent first, the signed, cached response will validate, and subsequent mixed-case queries will get that valid response until it expires.
The text was updated successfully, but these errors were encountered: