dnssec-verify fails on case-sensitivity of owner names in NSEC bitmap

Problem

The following zone if signed cannot be verified with dnssec-verify (from BIND 9.12.2):

$ORIGIN example.com.
$TTL 86400
@   IN SOA  ns.example.net. mail.example.net. ( 1 28800 7200 604800 1800 )
@   NS      ns.example.net.

$INCLUDE Kexample.com.+013+60432.key

foo AAAA ::1
bar A   127.0.0.1
FOO A   127.0.0.2
aba CNAME   FOO

Note, the order of the foo/bar/aba records is important. I believe it depends which name is used to calculate the NSEC bitmap.

Steps to reproduce

create key dnssec-keygen -f KSK -a ECDSAP256SHA256 example.com.
sign zone dnssec-signzone -z -o example.com. example.com

Verifying the zone using the following algorithms: ECDSAP256SHA256.
Zone fully signed:
Algorithm: ECDSAP256SHA256: KSKs: 1 active, 0 stand-by, 0 revoked
                            ZSKs: 0 active, 0 stand-by, 0 revoked
example.com.signed

verify zone dnssec-verify -z -o example.com. example.com.signed

Loading zone 'example.com.' from file 'example.com.signed'
Verifying the zone using the following algorithms: ECDSAP256SHA256.
Bad NSEC record for bar.example.com, bit map mismatch
dnssec-verify: fatal: DNSSEC completeness test failed (failure).

Edited Jul 27, 2018 by Daniel Stirnimann

To upload designs, you'll need to enable LFS and have an admin enable hashed storage. More information