[Opendnssec-user] Difference between BIND and ODS signed output

elsif jake at elsif.net
Fri Oct 26 15:01:19 UTC 2012 

Unsigned zone:
lac-megantic.qc.ca.                IN NS    ns1.com2media.ca.
                                    IN NS    ns2.com2media.ca.
ville.lac-megantic.qc.ca.          IN NS    ns1.com2media.ca.
                                    IN NS    ns2.com2media.ca.

Signed zone (ODS):
lac-megantic.qc.ca.     86400   IN      NS      ns1.com2media.ca.
lac-megantic.qc.ca.     86400   IN      NS      ns2.com2media.ca.


Signed zone (BIND):
lac-megantic.qc.ca.     86400   IN NS   ns1.com2media.ca.
                         86400   IN NS   ns2.com2media.ca.
ville.lac-megantic.qc.ca. 86400 IN NS   ns1.com2media.ca.
                         86400   IN NS   ns2.com2media.ca.

It appears ODS is ignoring the 4th level when the 3rd level exists 
(presumably this behaviour would be different if the NS RRset differs, but 
I've yet to confirm that).

I didn't expect zones to disappear from the signed zone, in any case, and 
makes our post-signing validation checks fail.

Can this be considered a bug?

Thanks,

-Jake

More information about the Opendnssec-user mailing list