[Opendnssec-user] opendnssec / ldns-verify-zone - A has signature(s), but is occluded (or glue)
Havard Eidnes
he at uninett.no
Mon Jun 30 11:49:25 UTC 2025
> We are getting the error while verify the opendnssec signed
> zone file - " A has signature(s), but is occluded (or glue)"
Yep, I see what's going on.
> Following is the test cases done on the opendnssec server. I am
> not sure, it is a bug or do we need to follow some procedure to
> avoid this issue. Please suggest.
In general, the remedy for this is to remove non-glue
non-authoritative data from your un-signed zone.
However... It seems that the operations you are performing, in
particular going from #2 where the site1.example.com delegation
has been removed to re-introducing site1.example.com as a
delegated zone in step #3 is changing the "glueness" of the A
records for
ns1.site1.example.com.
ns2.site1.example.com.
and it's entirely possible that OpenDNSSEC doesn't handle that
correctly, and instead retains the signatures for those A records
which were (correctly) computed in step #2.
A possible workaround is to remove both the delegation of
site1.example.com and the glue records, have OpenDNSSEC sign that
zone, and then re-introduce both at the same time and have
OpenDNSSEC do a new signing operation.
Best regards,
- Håvard
More information about the Opendnssec-user
mailing list