[Opendnssec-user]Signed zone file loses RRs

Paul Wouters paul at nohats.ca
Fri Oct 19 22:38:10 UTC 2012

On Thu, 18 Oct 2012, Matthijs Mekking wrote:

> This is acknowledged as an operator error:
>> After comparing the unsigned file with the signed one, I have found
>> where the problem is, It's the unsigned zone files' fault, because
>> there is a bug in the script which generates the zone files, some of
>> the RRs doubles,so the signed file must contain less RRs than the
>> unsigned one.
> Thanks Stuart for letting us know this has been resolved.

Related (and imho a bug), if you introduce a zone error in the unsigned
zone, it does not ignore the unsigned data, but instead stops working

eg, add:

dname.example.com. DNAME foo.bar.
dname.example.com. CNAME foo.bar.

You can't have cnames and dnames at the same level, so it is rightfully
ignored, but IMHO no reason to stop signing the rest, or at least keep
resigning the signed zone and not taking input from the new unsigned


More information about the Opendnssec-user mailing list