[Opendnssec-user] Passthru signconf still demanding Signatures, Denial, Keys sections?

Yuri Schaeffer yuri at nlnetlabs.nl
Mon Nov 28 10:53:55 UTC 2016

> I'm experimenting with .signconf files for 2.0 using the <Passthrough/>
> flag, and while playing around I've also checked signconf.rng to see the
> syntax.
> Even with the <Passthrough/> flag for a zone, the syntax for .signconf
> files demands quite a bit of signing setup:
>  - Signatures/*
>  - Denial/NSEC3/Hash/* or Denial/NSEC
>  - Keys/TTL
> The need for SOA/* makes sense, but the others are not as clear to me. 
> Why are they still required by the .signconf syntax?  Are they still
> used in any way?

Sometime, many a years ago, it was decided that almost the entire KASP
is required and thus there are no sane default values. Implementing
passthrough did not change that. All the values are parsed AND stored in
the database. They are not used though. So as long as the KASP validates
the values do not matter.

> I also found that DNSKEY entries are preserved when they occur in the
> .signed file.
> Are these unexpected things just accidentally retained, or are they in
> the interest of keeping key material around for a while?  If so, isn't
> that taking care of things that the Enforcer (and so the .signconf file)
> should take care of?

Passthrough SHOULD retain DNSKEYS that are in the input zone. If you
however see DNSKEYs that are generated by the signer then I suspect this
has happened:

1) You did add a zone to ods. (it got signed)
2) you changed the policy to passthrough.

This usecase is not supported (maybe it should?). To solve it quickly
you can remove the backup file for that zone. Next time if you want to
start with a by ODS signed zone and want to change it to passthrough you
can do the following.

[1) add a zone to ods. (it got signed)]
2) Remove all keys* from KASP and run policy update.
3) wait until ODS has properly unsigned the zone
4) then change policy to passthrough.

* Note that ("no keys" != "passthrough"). No keys defined in kasp will
gracefully unsign the zone AND filter any DNSSEC related records from
the input zone.


-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 195 bytes
Desc: OpenPGP digital signature
URL: <http://lists.opendnssec.org/pipermail/opendnssec-user/attachments/20161128/39f27911/attachment.bin>

More information about the Opendnssec-user mailing list