[Opendnssec-user] Passthru signconf still demanding Signatures, Denial, Keys sections?
Rick van Rein
rick at openfortress.nl
Thu Nov 24 11:19:44 UTC 2016
Hi,
I'm experimenting with .signconf files for 2.0 using the <Passthrough/>
flag, and while playing around I've also checked signconf.rng to see the
syntax.
Even with the <Passthrough/> flag for a zone, the syntax for .signconf
files demands quite a bit of signing setup:
- Signatures/*
- Denial/NSEC3/Hash/* or Denial/NSEC
- Keys/TTL
The need for SOA/* makes sense, but the others are not as clear to me.
Why are they still required by the .signconf syntax? Are they still
used in any way?
I also found that DNSKEY entries are preserved when they occur in the
.signed file.
Are these unexpected things just accidentally retained, or are they in
the interest of keeping key material around for a while? If so, isn't
that taking care of things that the Enforcer (and so the .signconf file)
should take care of?
Thanks,
-Rick
More information about the Opendnssec-user
mailing list