[Opendnssec-user] Passthru signconf still demanding Signatures, Denial, Keys sections?
Rick van Rein
rick at openfortress.nl
Thu Nov 24 11:19:44 UTC 2016
I'm experimenting with .signconf files for 2.0 using the <Passthrough/>
flag, and while playing around I've also checked signconf.rng to see the
Even with the <Passthrough/> flag for a zone, the syntax for .signconf
files demands quite a bit of signing setup:
- Denial/NSEC3/Hash/* or Denial/NSEC
The need for SOA/* makes sense, but the others are not as clear to me.
Why are they still required by the .signconf syntax? Are they still
used in any way?
I also found that DNSKEY entries are preserved when they occur in the
Are these unexpected things just accidentally retained, or are they in
the interest of keeping key material around for a while? If so, isn't
that taking care of things that the Enforcer (and so the .signconf file)
should take care of?
More information about the Opendnssec-user