Invalid DNSSEC signatures for empty responses with DNS 0x20

[jsha]

At Let's Encrypt, we use an Unbound recursive resolver with DNSSEC validation enabled, and DNS 0x20 (use-caps-for-id in unbound). We've gotten reports of problems from a couple of users who have PowerDNS as their authoritative resolvers:

https://community.letsencrypt.org/t/powerdns-cant-find-why-caa-servfails/38127
https://community.letsencrypt.org/t/help-diagnosing-caa-failures-ns1-cyso-nl/38461

Specifically, it seems that DNSSEC validation fails when a mixed-case query is made and the response is empty. There's some plausible speculation on our forum and on the unbound-users mailing list that this is because PowerDNS is signing a response containing the mixed-case qname, rather than downcasing before signing.

Caching seems to play a confounding role: If a downcased CAA query was sent first, the signed, cached response will validate, and subsequent mixed-case queries will get that valid response until it expires.

[Habbie]

Hello @jsha, thank you for your report! This was fixed in git master by #5377, which was backported to 4.0.x in #5378 and then released as 4.0.4. In other words, affected users running 4.0.3 or lower should upgrade to 4.0.4 and try again. Users running master should not be affected today.

Will leave this open for a bit in case somebody has conflicting experiences.

[jsha]

Thanks for the prompt response! I'll convey this to the affected parties and see if upgrading helps.

[jsha]

I've gotten one report from an affected party that upgrading to 4.0.4 fixed it. Closing. Thanks again. As an FYI I've requested Ubuntu backport the fix into Xenial, and a helpful community member has filed a similar bug for Debian.

[Habbie]

Those PR numbers were wrong. The backport is b91cfe5