[Opendnssec-user] Passthru signconf still demanding Signatures, Denial, Keys sections?

Rick van Rein rick at openfortress.nl
Thu Nov 24 11:19:44 UTC 2016


I'm experimenting with .signconf files for 2.0 using the <Passthrough/>
flag, and while playing around I've also checked signconf.rng to see the

Even with the <Passthrough/> flag for a zone, the syntax for .signconf
files demands quite a bit of signing setup:
 - Signatures/*
 - Denial/NSEC3/Hash/* or Denial/NSEC
 - Keys/TTL

The need for SOA/* makes sense, but the others are not as clear to me. 
Why are they still required by the .signconf syntax?  Are they still
used in any way?

I also found that DNSKEY entries are preserved when they occur in the
.signed file.

Are these unexpected things just accidentally retained, or are they in
the interest of keeping key material around for a while?  If so, isn't
that taking care of things that the Enforcer (and so the .signconf file)
should take care of?


More information about the Opendnssec-user mailing list