[Opendnssec-user] opendnssec / ldns-verify-zone - A has signature(s), but is occluded (or glue)

Barshani Jalaludeen barshani.jalaludeen at oivan.com
Mon Jun 30 14:23:02 UTC 2025 

Hi Havard,

Thanks for your quick support.

We did the following, without update any record in unsigned zone file after test case3 #  Occluded (glue) issue.

cd /var/opendnssec/unsigned/
r0ts-dns-ids01:/var/opendnssec/unsigned# sudo -u ods ods-signer clear example.com
Internal zone information about example.com cleared

sudo -u ods ods-signer sign example.com
cd /var/opendnssec/signed
cat example.com
r0ts-dns-ids01:/var/opendnssec/signed# ldns-verify-zone /var/opendnssec/signed/example.com
Zone is verified and complete

It seems signing of example.com working fine.

Note:- Is this means bug in opendnssec to handle such scenario?  Any suggestion please.

Thanks




-----Original Message-----
From: Havard Eidnes <he at uninett.no> 
Sent: Monday, June 30, 2025 2:49 PM
To: Barshani Jalaludeen <barshani.jalaludeen at oivan.com>
Cc: opendnssec-user at lists.opendnssec.org
Subject: Re: [Opendnssec-user] opendnssec / ldns-verify-zone - A has signature(s), but is occluded (or glue)

CAUTION: This email originated from outside Oivan. Do not click links or open attachments unless you recognize the sender and know the content is safe.

> We are getting the error while verify the opendnssec signed zone file 
> - " A has signature(s), but is occluded (or glue)"

Yep, I see what's going on.

> Following is the test cases done on the opendnssec server. I am not 
> sure, it is a bug or do we need to follow some procedure to avoid this 
> issue. Please suggest.

In general, the remedy for this is to remove non-glue non-authoritative data from your un-signed zone.

However...  It seems that the operations you are performing, in particular going from #2 where the site1.example.com delegation has been removed to re-introducing site1.example.com as a delegated zone in step #3 is changing the "glueness" of the A records for

ns1.site1.example.com.
ns2.site1.example.com.

and it's entirely possible that OpenDNSSEC doesn't handle that correctly, and instead retains the signatures for those A records which were (correctly) computed in step #2.

A possible workaround is to remove both the delegation of site1.example.com and the glue records, have OpenDNSSEC sign that zone, and then re-introduce both at the same time and have OpenDNSSEC do a new signing operation.

Best regards,

- Håvard

More information about the Opendnssec-user mailing list