[Opendnssec-user]Signed zone file loses RRs
Paul Wouters
paul at nohats.ca
Fri Oct 19 22:38:10 UTC 2012
On Thu, 18 Oct 2012, Matthijs Mekking wrote:
> This is acknowledged as an operator error:
>
>> After comparing the unsigned file with the signed one, I have found
>> where the problem is, It's the unsigned zone files' fault, because
>> there is a bug in the script which generates the zone files, some of
>> the RRs doubles,so the signed file must contain less RRs than the
>> unsigned one.
>
> Thanks Stuart for letting us know this has been resolved.
Related (and imho a bug), if you introduce a zone error in the unsigned
zone, it does not ignore the unsigned data, but instead stops working
fully.
eg, add:
dname.example.com. DNAME foo.bar.
dname.example.com. CNAME foo.bar.
You can't have cnames and dnames at the same level, so it is rightfully
ignored, but IMHO no reason to stop signing the rest, or at least keep
resigning the signed zone and not taking input from the new unsigned
zone.
Paul
More information about the Opendnssec-user
mailing list