Join GitHub today
GitHub is home to over 28 million developers working together to host and review code, manage projects, and build software together.Sign up
Invalid DNSSEC signatures for empty responses with DNS 0x20 #5546
At Let's Encrypt, we use an Unbound recursive resolver with DNSSEC validation enabled, and DNS 0x20 (use-caps-for-id in unbound). We've gotten reports of problems from a couple of users who have PowerDNS as their authoritative resolvers:
Specifically, it seems that DNSSEC validation fails when a mixed-case query is made and the response is empty. There's some plausible speculation on our forum and on the unbound-users mailing list that this is because PowerDNS is signing a response containing the mixed-case qname, rather than downcasing before signing.
Caching seems to play a confounding role: If a downcased CAA query was sent first, the signed, cached response will validate, and subsequent mixed-case queries will get that valid response until it expires.
Hello @jsha, thank you for your report! This was fixed in git master by
Will leave this open for a bit in case somebody has conflicting experiences.