<html xmlns:v="urn:schemas-microsoft-com:vml" xmlns:o="urn:schemas-microsoft-com:office:office" xmlns:w="urn:schemas-microsoft-com:office:word" xmlns:m="http://schemas.microsoft.com/office/2004/12/omml" xmlns="http://www.w3.org/TR/REC-html40">
<head>
<meta http-equiv="Content-Type" content="text/html; charset=us-ascii">
<meta name="Generator" content="Microsoft Word 15 (filtered medium)">
<style><!--
/* Font Definitions */
@font-face
{font-family:"Cambria Math";
panose-1:2 4 5 3 5 4 6 3 2 4;}
@font-face
{font-family:Aptos;}
@font-face
{font-family:"Montserrat Light";
panose-1:0 0 4 0 0 0 0 0 0 0;}
/* Style Definitions */
p.MsoNormal, li.MsoNormal, div.MsoNormal
{margin:0in;
font-size:11.0pt;
font-family:"Aptos",sans-serif;
mso-ligatures:standardcontextual;
mso-fareast-language:EN-US;}
span.EmailStyle17
{mso-style-type:personal-compose;
font-family:"Aptos",sans-serif;
color:windowtext;}
.MsoChpDefault
{mso-style-type:export-only;
font-size:11.0pt;
mso-fareast-language:EN-US;}
@page WordSection1
{size:8.5in 11.0in;
margin:1.0in 1.0in 1.0in 1.0in;}
div.WordSection1
{page:WordSection1;}
--></style><!--[if gte mso 9]><xml>
<o:shapedefaults v:ext="edit" spidmax="1026" />
</xml><![endif]--><!--[if gte mso 9]><xml>
<o:shapelayout v:ext="edit">
<o:idmap v:ext="edit" data="1" />
</o:shapelayout></xml><![endif]-->
</head>
<body lang="EN-GB" link="#467886" vlink="#96607D" style="word-wrap:break-word">
<div class="WordSection1">
<p class="MsoNormal">Hi,<o:p></o:p></p>
<p class="MsoNormal">We are getting the error while verify the opendnssec signed zone file – “ A has signature(s), but is occluded (or glue)”<o:p></o:p></p>
<p class="MsoNormal">Following is the test cases done on the opendnssec server. I am not sure, it is a bug or do we need to follow some procedure to avoid this issue. Please suggest.<o:p></o:p></p>
<p class="MsoNormal"><o:p> </o:p></p>
<p class="MsoNormal">opendnssec version: opendnssec-2.1.14 , softHSM version: softhsm-2.6.1<o:p></o:p></p>
<p class="MsoNormal"><o:p> </o:p></p>
<p class="MsoNormal"><o:p> </o:p></p>
<p class="MsoNormal">example.com zone file:-<o:p></o:p></p>
<p class="MsoNormal">------<o:p></o:p></p>
<p class="MsoNormal">$ORIGIN example.com.<o:p></o:p></p>
<p class="MsoNormal">$TTL 86400<o:p></o:p></p>
<p class="MsoNormal">@ IN SOA ns1.example.com. hostmaster.example.com. (<o:p></o:p></p>
<p class="MsoNormal"> 2025062628 ; serial<o:p></o:p></p>
<p class="MsoNormal"> 7200 ; refresh (2 hours)<o:p></o:p></p>
<p class="MsoNormal"> 3600 ; retry (1 hour)<o:p></o:p></p>
<p class="MsoNormal"> 1209600 ; expire (2 weeks)<o:p></o:p></p>
<p class="MsoNormal"> 3600 ; minimum (1 hour)<o:p></o:p></p>
<p class="MsoNormal"> )<o:p></o:p></p>
<p class="MsoNormal">example.com. 3600 IN NS ns1.dnsp.com.<o:p></o:p></p>
<p class="MsoNormal">example.com. 3600 IN NS ns2.dnsp.com.<o:p></o:p></p>
<p class="MsoNormal">ns1.dnsp.com. 3600 IN A 192.0.2.1<o:p></o:p></p>
<p class="MsoNormal">ns2.dnsp.com. 3600 IN A 192.0.2.2<o:p></o:p></p>
<p class="MsoNormal">;child zones<o:p></o:p></p>
<p class="MsoNormal">site1.example.com. IN NS ns1.site1.example.com.<o:p></o:p></p>
<p class="MsoNormal">site1.example.com. IN NS ns2.site1.example.com.<o:p></o:p></p>
<p class="MsoNormal">site2.example.com. IN NS ns1.site1.example.com.<o:p></o:p></p>
<p class="MsoNormal">site2.example.com. IN NS ns2.site1.example.com.<o:p></o:p></p>
<p class="MsoNormal">ns1.site1.example.com. IN A 192.168.0.1<o:p></o:p></p>
<p class="MsoNormal">ns2.site1.example.com. IN A 192.168.0.2<o:p></o:p></p>
<p class="MsoNormal"><o:p> </o:p></p>
<p class="MsoNormal"><o:p> </o:p></p>
<p class="MsoNormal">Test case 1: Signing by opendssec working fine with the above example.com zone file. ldns-verify-zone succeeded for the signed zone file without any issue.<o:p></o:p></p>
<p class="MsoNormal">Test case 2. From the above zone file if we remove the child zone "site1.example.com. IN NS ns1.site1.example.com." AND "site1.example.com. IN NS ns2.site1.example.com. " then, the Signer considering " ns1.site1.example.com.
86400 IN A 192.168.0.1 And ns2.site1.example.com. IN A 192.168.0.2" as "A" record and singed file is with NSEC3 records. Here, ldns-verify-zone is succeeded for the signed zone file and complete.<o:p></o:p></p>
<p class="MsoNormal">Test case 3. Now if we add back the (removed child zone) entry "site1.example.com. IN NS ns1.site1.example.com." AND "site1.example.com. IN NS ns2.site1.example.com. " then, the Signer again considering ns1.site1.example.com
And ns2.site1.example.com. as "A" record and sign the same (without NSEC3 records). Here ldns-verify-zone failing with following error for the signed zone.<o:p></o:p></p>
<p class="MsoNormal">r0ts-dns-ids01:/var/opendnssec/signed# ldns-verify-zone /var/opendnssec/signed/example.com<o:p></o:p></p>
<p class="MsoNormal">Error: ns1.site1.example.com. A has signature(s), but is occluded (or glue)<o:p></o:p></p>
<p class="MsoNormal">Error: ns2.site1.example.com. A has signature(s), but is occluded (or glue)<o:p></o:p></p>
<p class="MsoNormal">There were errors in the zone<o:p></o:p></p>
<p class="MsoNormal"><o:p> </o:p></p>
<p class="MsoNormal"><o:p> </o:p></p>
<p class="MsoNormal">Details:-<o:p></o:p></p>
<p class="MsoNormal"><b><span lang="EN-US" style="color:#1F497D">Test case 2:</span></b><b><span lang="EN-US" style="color:#1F497D;mso-ligatures:none;mso-fareast-language:EN-GB"><o:p></o:p></span></b></p>
<p class="MsoNormal"><b><span lang="EN-US" style="color:#1F497D">Unsigned </span>
</b><span lang="EN-US" style="color:#1F497D"> Zone file: example.com<o:p></o:p></span></p>
<p class="MsoNormal"><span lang="EN-US" style="color:#1F497D">$ORIGIN example.com.<o:p></o:p></span></p>
<p class="MsoNormal"><span lang="EN-US" style="color:#1F497D">$TTL 86400<o:p></o:p></span></p>
<p class="MsoNormal"><span lang="EN-US" style="color:#1F497D">@ IN SOA ns1.example.com. hostmaster.example.com. (<o:p></o:p></span></p>
<p class="MsoNormal"><span lang="EN-US" style="color:#1F497D"> 2025062901 ; serial<o:p></o:p></span></p>
<p class="MsoNormal"><span lang="EN-US" style="color:#1F497D"> 7200 ; refresh (2 hours)<o:p></o:p></span></p>
<p class="MsoNormal"><span lang="EN-US" style="color:#1F497D"> 3600 ; retry (1 hour)<o:p></o:p></span></p>
<p class="MsoNormal"><span lang="EN-US" style="color:#1F497D"> 1209600 ; expire (2 weeks)<o:p></o:p></span></p>
<p class="MsoNormal"><span lang="EN-US" style="color:#1F497D"> 3600 ; minimum (1 hour)<o:p></o:p></span></p>
<p class="MsoNormal"><span lang="EN-US" style="color:#1F497D"> )<o:p></o:p></span></p>
<p class="MsoNormal"><span lang="EN-US" style="color:#1F497D">example.com. 3600 IN NS ns1.dnsp.com.<o:p></o:p></span></p>
<p class="MsoNormal"><span lang="EN-US" style="color:#1F497D">example.com. 3600 IN NS ns2.dnsp.com.<o:p></o:p></span></p>
<p class="MsoNormal"><span lang="EN-US" style="color:#1F497D">ns1.dnsp.com. 3600 IN A 192.0.2.1<o:p></o:p></span></p>
<p class="MsoNormal"><span lang="EN-US" style="color:#1F497D">ns2.dnsp.com. 3600 IN A 192.0.2.2<o:p></o:p></span></p>
<p class="MsoNormal"><span lang="EN-US" style="color:#1F497D">;child zones<o:p></o:p></span></p>
<p class="MsoNormal"><span lang="EN-US" style="color:#1F497D">site2.example.com. IN NS ns1.site1.example.com.<o:p></o:p></span></p>
<p class="MsoNormal"><span lang="EN-US" style="color:#1F497D">site2.example.com. IN NS ns2.site1.example.com.<o:p></o:p></span></p>
<p class="MsoNormal"><span lang="EN-US" style="color:#1F497D">ns1.site1.example.com. IN A 192.168.0.1<o:p></o:p></span></p>
<p class="MsoNormal"><span lang="EN-US" style="color:#1F497D">ns2.site1.example.com. IN A 192.168.0.2<o:p></o:p></span></p>
<p class="MsoNormal"><span lang="EN-US" style="color:#1F497D"><o:p> </o:p></span></p>
<p class="MsoNormal"><span lang="EN-US" style="color:#1F497D"><o:p> </o:p></span></p>
<p class="MsoNormal"><b><span lang="EN-US" style="color:#1F497D">Signed</span></b><span lang="EN-US" style="color:#1F497D"> Zone File:example.com<o:p></o:p></span></p>
<p class="MsoNormal"><span lang="EN-US" style="color:#1F497D"><o:p> </o:p></span></p>
<p class="MsoNormal"><span lang="EN-US" style="color:#1F497D">example.com. 3600 IN SOA ns1.example.com. hostmaster.example.com. 2025062903 7200 3600 1209600 3600<o:p></o:p></span></p>
<p class="MsoNormal"><span lang="EN-US" style="color:#1F497D">example.com. 3600 IN RRSIG SOA 13 2 3600 20250713103826 20250629093857 50857 example.com. X/yOKaNg2nSnRKruh6iw/9+v11AiGIGnfMBmM+/hZ51lu2F/yl3MipaRrVY0XzQRmAUvDWhGY0rLYAlEEaNCMw==<o:p></o:p></span></p>
<p class="MsoNormal"><span lang="EN-US" style="color:#1F497D">example.com. 3600 IN DNSKEY 257 3 13 95MijHgdYxr1CzIuPE+vdPaWxqKPoAaCGod0hzEa0WugTXSgNgk3XUXklMxbRnWOYBUHbWyw5OmVbuufKDsfeg== ;{id = 41231 (ksk), size = 256b}<o:p></o:p></span></p>
<p class="MsoNormal"><span lang="EN-US" style="color:#1F497D">example.com. 3600 IN DNSKEY 256 3 13 WEFhn+zqcTg9bTIiUWQfFcZ2+1epiGlZopAlQ6U8lvabGV2+TH0QHY113wbE/YrcNIqYqOEp76uxZpAqWzSlQA== ;{id = 50857 (zsk), size = 256b}<o:p></o:p></span></p>
<p class="MsoNormal"><span lang="EN-US" style="color:#1F497D">example.com. 3600 IN RRSIG DNSKEY 13 2 3600 20250713102836 20250629092913 41231 example.com. DYAMbh+yhjEKwqIWzCJWGuj6zxEzZ0eDjceBZ8owP3sposej0ey78xFIrICUNmBW82xyiDbmH9ho2rCSF9ik3g==<o:p></o:p></span></p>
<p class="MsoNormal"><span lang="EN-US" style="color:#1F497D">example.com. 0 IN NSEC3PARAM 1 0 5 4d91322a387fea14<o:p></o:p></span></p>
<p class="MsoNormal"><span lang="EN-US" style="color:#1F497D">example.com. 0 IN RRSIG NSEC3PARAM 13 2 0 20250713102908 20250629092913 50857 example.com. zxNW+KlSKJ5kxdob/krPTB2F0eFX8mJZZUtRU10Oo6U2T9qnLGqnNd3kwJ5iHuQu4PVsQnHTk06rcuUDQ/KLTQ==<o:p></o:p></span></p>
<p class="MsoNormal"><span lang="EN-US" style="color:#1F497D">example.com. 3600 IN NS ns1.dnsp.com.<o:p></o:p></span></p>
<p class="MsoNormal"><span lang="EN-US" style="color:#1F497D">example.com. 3600 IN NS ns2.dnsp.com.<o:p></o:p></span></p>
<p class="MsoNormal"><span lang="EN-US" style="color:#1F497D">example.com. 3600 IN RRSIG NS 13 2 3600 20250713102907 20250629092913 50857 example.com. tcVd5ekK65yOEKjJFJ5o5/EMOXfCB+5Qk04Wp5nIuwdnsMFPrhCLsps0Tr0vK7sUbjIITnukF+6ldYW3JKRPQg==<o:p></o:p></span></p>
<p class="MsoNormal"><span lang="EN-US" style="color:#1F497D">1ale25q63qf27j2lrhoqm9um0a3u3e6r.example.com. 3600 IN NSEC3 1 1 5 4d91322a387fea14 6khjs8s1km7q7o0kiuo75681umgi1vne NS SOA RRSIG DNSKEY NSEC3PARAM<o:p></o:p></span></p>
<p class="MsoNormal"><span lang="EN-US" style="color:#1F497D">1ale25q63qf27j2lrhoqm9um0a3u3e6r.example.com. 3600 IN RRSIG NSEC3 13 3 3600 20250713103836 20250629093857 50857 example.com. kQIXRVlVYtnvevX+FXgOB/dSs28sxyxpt3yClLF6ddJX7zcHL71PwECAlQtVciZ84+TeBB0G1ml0DsO3UHbAHQ==<o:p></o:p></span></p>
<p class="MsoNormal"><span lang="EN-US" style="color:#1F497D">;;Empty non-terminal site1.example.com.<o:p></o:p></span></p>
<p class="MsoNormal"><span lang="EN-US" style="color:#1F497D">re7jfp9oitl3mdnjo2icnigv84kp0o2k.example.com. 3600 IN NSEC3 1 1 5 4d91322a387fea14 1ale25q63qf27j2lrhoqm9um0a3u3e6r<o:p></o:p></span></p>
<p class="MsoNormal"><span lang="EN-US" style="color:#1F497D">re7jfp9oitl3mdnjo2icnigv84kp0o2k.example.com. 3600 IN RRSIG NSEC3 13 3 3600 20250713103937 20250629093857 50857 example.com. KwpkOK2LdtB+k1MkVTXT2tpwQHHE8FGamLzHtsU7ySCWZyMGl9xpkOH/Lag2fQq7ccd3E7/bKP2Uwj+jB5Chsw==<o:p></o:p></span></p>
<p class="MsoNormal"><span lang="EN-US" style="color:#1F497D">ns1.site1.example.com. 86400 IN A 192.168.0.1<o:p></o:p></span></p>
<p class="MsoNormal"><span lang="EN-US" style="color:#1F497D">ns1.site1.example.com. 86400 IN RRSIG A 13 4 86400 20250713103810 20250629093857 50857 example.com. ifDngOBydUkZo9JdAlL8MhqxyYsrXIo5iRXN5bsPSWrFfo0fMNAC3MdluIRoJad5/WpEB5eVwIq7g20fLd1GVQ==<o:p></o:p></span></p>
<p class="MsoNormal"><span lang="EN-US" style="color:#1F497D">6khjs8s1km7q7o0kiuo75681umgi1vne.example.com. 3600 IN NSEC3 1 1 5 4d91322a387fea14 9mf6b0gr55bvjvt1r7mjhk74oal4o0gf A RRSIG<o:p></o:p></span></p>
<p class="MsoNormal"><span lang="EN-US" style="color:#1F497D">6khjs8s1km7q7o0kiuo75681umgi1vne.example.com. 3600 IN RRSIG NSEC3 13 3 3600 20250713103903 20250629093857 50857 example.com. gIAkLHKiIGqPyRZImhY7Eq0oOiyXZQvYHYAEceuBTaSN7WxYtZcdt+JpztJ35tc6dX4eY+rK5CffpGY8hI7y7A==<o:p></o:p></span></p>
<p class="MsoNormal"><span lang="EN-US" style="color:#1F497D">ns2.site1.example.com. 86400 IN A 192.168.0.2<o:p></o:p></span></p>
<p class="MsoNormal"><span lang="EN-US" style="color:#1F497D">ns2.site1.example.com. 86400 IN RRSIG A 13 4 86400 20250713103953 20250629093857 50857 example.com. pKiTdWEWLxWi2BlptnVecYhXde+65JzTmtvBbsWx3KFYxLjDKkEEtOejpujDL8mCW5ssEXjnjiqqnZgj7/TGww==<o:p></o:p></span></p>
<p class="MsoNormal"><span lang="EN-US" style="color:#1F497D">9mf6b0gr55bvjvt1r7mjhk74oal4o0gf.example.com. 3600 IN NSEC3 1 1 5 4d91322a387fea14 re7jfp9oitl3mdnjo2icnigv84kp0o2k A RRSIG<o:p></o:p></span></p>
<p class="MsoNormal"><span lang="EN-US" style="color:#1F497D">9mf6b0gr55bvjvt1r7mjhk74oal4o0gf.example.com. 3600 IN RRSIG NSEC3 13 3 3600 20250713103915 20250629093857 50857 example.com. BNIl/sn22QWiF4KIsS4+jXLPheV/pVDxAT14Lt29kvnyCkv6DFYJAYLbXZT9RmVHLN4q14CABKu4zCuQ7WUyDg==<o:p></o:p></span></p>
<p class="MsoNormal"><span lang="EN-US" style="color:#1F497D">site2.example.com. 86400 IN NS ns1.site1.example.com.<o:p></o:p></span></p>
<p class="MsoNormal"><span lang="EN-US" style="color:#1F497D">site2.example.com. 86400 IN NS ns2.site1.example.com.<o:p></o:p></span></p>
<p class="MsoNormal"><span lang="EN-US" style="color:#1F497D"><o:p> </o:p></span></p>
<p class="MsoNormal"><span lang="EN-US" style="color:#1F497D"><o:p> </o:p></span></p>
<p class="MsoNormal"><span lang="EN-US" style="color:#1F497D"><o:p> </o:p></span></p>
<p class="MsoNormal"><span lang="EN-US" style="color:#1F497D"><o:p> </o:p></span></p>
<p class="MsoNormal"><b><span lang="EN-US" style="color:#1F497D">Test case 3:<o:p></o:p></span></b></p>
<p class="MsoNormal"><b><span lang="EN-US" style="color:#1F497D">Unsigned</span></b><span lang="EN-US" style="color:#1F497D"> zone file: example.com<o:p></o:p></span></p>
<p class="MsoNormal"><span lang="EN-US" style="color:#1F497D">$ORIGIN example.com.<o:p></o:p></span></p>
<p class="MsoNormal"><span lang="EN-US" style="color:#1F497D">$TTL 86400<o:p></o:p></span></p>
<p class="MsoNormal"><span lang="EN-US" style="color:#1F497D">@ IN SOA ns1.example.com. hostmaster.example.com. (<o:p></o:p></span></p>
<p class="MsoNormal"><span lang="EN-US" style="color:#1F497D"> 2025062901 ; serial<o:p></o:p></span></p>
<p class="MsoNormal"><span lang="EN-US" style="color:#1F497D"> 7200 ; refresh (2 hours)<o:p></o:p></span></p>
<p class="MsoNormal"><span lang="EN-US" style="color:#1F497D"> 3600 ; retry (1 hour)<o:p></o:p></span></p>
<p class="MsoNormal"><span lang="EN-US" style="color:#1F497D"> 1209600 ; expire (2 weeks)<o:p></o:p></span></p>
<p class="MsoNormal"><span lang="EN-US" style="color:#1F497D"> 3600 ; minimum (1 hour)<o:p></o:p></span></p>
<p class="MsoNormal"><span lang="EN-US" style="color:#1F497D"> )<o:p></o:p></span></p>
<p class="MsoNormal"><span lang="EN-US" style="color:#1F497D">example.com. 3600 IN NS ns1.dnsp.com.<o:p></o:p></span></p>
<p class="MsoNormal"><span lang="EN-US" style="color:#1F497D">example.com. 3600 IN NS ns2.dnsp.com.<o:p></o:p></span></p>
<p class="MsoNormal"><span lang="EN-US" style="color:#1F497D">ns1.dnsp.com. 3600 IN A 192.0.2.1<o:p></o:p></span></p>
<p class="MsoNormal"><span lang="EN-US" style="color:#1F497D">ns2.dnsp.com. 3600 IN A 192.0.2.2<o:p></o:p></span></p>
<p class="MsoNormal"><span lang="EN-US" style="color:#1F497D">;child zones<o:p></o:p></span></p>
<p class="MsoNormal"><span lang="EN-US" style="color:#1F497D">site1.example.com. IN NS ns1.site1.example.com.<o:p></o:p></span></p>
<p class="MsoNormal"><span lang="EN-US" style="color:#1F497D">site1.example.com. IN NS ns2.site1.example.com.<o:p></o:p></span></p>
<p class="MsoNormal"><span lang="EN-US" style="color:#1F497D">site2.example.com. IN NS ns1.site1.example.com.<o:p></o:p></span></p>
<p class="MsoNormal"><span lang="EN-US" style="color:#1F497D">site2.example.com. IN NS ns2.site1.example.com.<o:p></o:p></span></p>
<p class="MsoNormal"><span lang="EN-US" style="color:#1F497D">ns1.site1.example.com. IN A 192.168.0.1<o:p></o:p></span></p>
<p class="MsoNormal"><span lang="EN-US" style="color:#1F497D">ns2.site1.example.com. IN A 192.168.0.2<o:p></o:p></span></p>
<p class="MsoNormal"><span lang="EN-US" style="color:#1F497D"><o:p> </o:p></span></p>
<p class="MsoNormal"><span lang="EN-US" style="color:#1F497D"><o:p> </o:p></span></p>
<p class="MsoNormal"><span lang="EN-US" style="color:#1F497D"><o:p> </o:p></span></p>
<p class="MsoNormal"><b><span lang="EN-US" style="color:#1F497D">Signed</span></b><span lang="EN-US" style="color:#1F497D"> Zone file: example.com<o:p></o:p></span></p>
<p class="MsoNormal"><span lang="EN-US" style="color:#1F497D">example.com. 3600 IN SOA ns1.example.com. hostmaster.example.com. 2025062904 7200 3600 1209600 3600<o:p></o:p></span></p>
<p class="MsoNormal"><span lang="EN-US" style="color:#1F497D">example.com. 3600 IN RRSIG SOA 13 2 3600 20250713105836 20250629095744 50857 example.com. TIDrmS7eA9Et/VdX0sCWRN3LO4aT8PymaE4Le4BV8lrBDNc8TaWZEkMAO4ygkpliMNDS/6xlMeDXSYzjHuloVA==<o:p></o:p></span></p>
<p class="MsoNormal"><span lang="EN-US" style="color:#1F497D">example.com. 3600 IN DNSKEY 257 3 13 95MijHgdYxr1CzIuPE+vdPaWxqKPoAaCGod0hzEa0WugTXSgNgk3XUXklMxbRnWOYBUHbWyw5OmVbuufKDsfeg== ;{id = 41231 (ksk), size = 256b}<o:p></o:p></span></p>
<p class="MsoNormal"><span lang="EN-US" style="color:#1F497D">example.com. 3600 IN DNSKEY 256 3 13 WEFhn+zqcTg9bTIiUWQfFcZ2+1epiGlZopAlQ6U8lvabGV2+TH0QHY113wbE/YrcNIqYqOEp76uxZpAqWzSlQA== ;{id = 50857 (zsk), size = 256b}<o:p></o:p></span></p>
<p class="MsoNormal"><span lang="EN-US" style="color:#1F497D">example.com. 3600 IN RRSIG DNSKEY 13 2 3600 20250713102836 20250629092913 41231 example.com. DYAMbh+yhjEKwqIWzCJWGuj6zxEzZ0eDjceBZ8owP3sposej0ey78xFIrICUNmBW82xyiDbmH9ho2rCSF9ik3g==<o:p></o:p></span></p>
<p class="MsoNormal"><span lang="EN-US" style="color:#1F497D">example.com. 0 IN NSEC3PARAM 1 0 5 4d91322a387fea14<o:p></o:p></span></p>
<p class="MsoNormal"><span lang="EN-US" style="color:#1F497D">example.com. 0 IN RRSIG NSEC3PARAM 13 2 0 20250713102908 20250629092913 50857 example.com. zxNW+KlSKJ5kxdob/krPTB2F0eFX8mJZZUtRU10Oo6U2T9qnLGqnNd3kwJ5iHuQu4PVsQnHTk06rcuUDQ/KLTQ==<o:p></o:p></span></p>
<p class="MsoNormal"><span lang="EN-US" style="color:#1F497D">example.com. 3600 IN NS ns1.dnsp.com.<o:p></o:p></span></p>
<p class="MsoNormal"><span lang="EN-US" style="color:#1F497D">example.com. 3600 IN NS ns2.dnsp.com.<o:p></o:p></span></p>
<p class="MsoNormal"><span lang="EN-US" style="color:#1F497D">example.com. 3600 IN RRSIG NS 13 2 3600 20250713102907 20250629092913 50857 example.com. tcVd5ekK65yOEKjJFJ5o5/EMOXfCB+5Qk04Wp5nIuwdnsMFPrhCLsps0Tr0vK7sUbjIITnukF+6ldYW3JKRPQg==<o:p></o:p></span></p>
<p class="MsoNormal"><span lang="EN-US" style="color:#1F497D">1ale25q63qf27j2lrhoqm9um0a3u3e6r.example.com. 3600 IN NSEC3 1 1 5 4d91322a387fea14 1ale25q63qf27j2lrhoqm9um0a3u3e6r NS SOA RRSIG DNSKEY NSEC3PARAM<o:p></o:p></span></p>
<p class="MsoNormal"><span lang="EN-US" style="color:#1F497D">1ale25q63qf27j2lrhoqm9um0a3u3e6r.example.com. 3600 IN RRSIG NSEC3 13 3 3600 20250713105659 20250629095744 50857 example.com. EeyBPLB1tAvIo0DLt3N+QAQDPMu3T54r0eWfR9DyrwsdTv8TRtAOrcf/JdOlDa85fzBdInZCmJf1UXi/ebXXIw==<o:p></o:p></span></p>
<p class="MsoNormal"><span lang="EN-US" style="color:#1F497D">site1.example.com. 86400 IN NS ns1.site1.example.com.<o:p></o:p></span></p>
<p class="MsoNormal"><span lang="EN-US" style="color:#1F497D">site1.example.com. 86400 IN NS ns2.site1.example.com.<o:p></o:p></span></p>
<p class="MsoNormal"><span lang="EN-US" style="color:#1F497D">ns1.site1.example.com. 86400 IN A 192.168.0.1<o:p></o:p></span></p>
<p class="MsoNormal"><span lang="EN-US" style="color:#1F497D">ns1.site1.example.com. 86400 IN RRSIG A 13 4 86400 20250713103810 20250629093857 50857 example.com. ifDngOBydUkZo9JdAlL8MhqxyYsrXIo5iRXN5bsPSWrFfo0fMNAC3MdluIRoJad5/WpEB5eVwIq7g20fLd1GVQ==<o:p></o:p></span></p>
<p class="MsoNormal"><span lang="EN-US" style="color:#1F497D">ns2.site1.example.com. 86400 IN A 192.168.0.2<o:p></o:p></span></p>
<p class="MsoNormal"><span lang="EN-US" style="color:#1F497D">ns2.site1.example.com. 86400 IN RRSIG A 13 4 86400 20250713103953 20250629093857 50857 example.com. pKiTdWEWLxWi2BlptnVecYhXde+65JzTmtvBbsWx3KFYxLjDKkEEtOejpujDL8mCW5ssEXjnjiqqnZgj7/TGww==<o:p></o:p></span></p>
<p class="MsoNormal"><span lang="EN-US" style="color:#1F497D">site2.example.com. 86400 IN NS ns1.site1.example.com.<o:p></o:p></span></p>
<p class="MsoNormal"><span lang="EN-US" style="color:#1F497D">site2.example.com. 86400 IN NS ns2.site1.example.com.<o:p></o:p></span></p>
<p class="MsoNormal"><span lang="EN-US" style="color:#1F497D"><o:p> </o:p></span></p>
<p class="MsoNormal"><span lang="EN-US" style="color:#1F497D"><o:p> </o:p></span></p>
<p class="MsoNormal"><span lang="EN-US" style="color:#1F497D">r0ts-dns-ids01:/var/opendnssec/signed# ldns-verify-zone /var/opendnssec/signed/example.com<o:p></o:p></span></p>
<p class="MsoNormal"><span lang="EN-US" style="color:#1F497D">Error: ns1.site1.example.com. A has signature(s), but is occluded (or glue)<o:p></o:p></span></p>
<p class="MsoNormal"><span lang="EN-US" style="color:#1F497D">Error: ns2.site1.example.com. A has signature(s), but is occluded (or glue)<o:p></o:p></span></p>
<p class="MsoNormal"><span lang="EN-US" style="color:#1F497D">There were errors in the zone<o:p></o:p></span></p>
<p class="MsoNormal"><span lang="EN-US"><o:p> </o:p></span></p>
<p class="MsoNormal"><o:p> </o:p></p>
<p class="MsoNormal"><o:p> </o:p></p>
<p class="MsoNormal"><b><span style="font-family:"Montserrat Light";color:black;mso-ligatures:none;mso-fareast-language:EN-GB">Thanks<o:p></o:p></span></b></p>
<p class="MsoNormal"><b><span style="font-family:"Montserrat Light";color:black;mso-ligatures:none;mso-fareast-language:EN-GB"><o:p> </o:p></span></b></p>
<p class="MsoNormal"><o:p> </o:p></p>
</div>
</body>
</html>