Spurious "CNAME and other data" with signed zones

[Alexander Gall]

I have automated all DNSSEC related stuff for our signed zones with a
makefile and a bunch of perl scripts.  The DNSSEC RRsets are kept in a
separate file that is INCLUDEd in the main zone file.  The latter is
under version control and the zone admins never see any of the DNSSEC
records. 

Basically, whenever the zone is modified, the makefile dumps the zone
(with the old DNSSEC RRs) into a temporary file using "named-checkzone
-D".  After this file has been signed, the DNSSEC RRs are extracted
from it and written to the file that is included in the actual zone
file.

This works perfectly, except for one case.  When I replace all RRsets
at some name with a CNAME RR, named-checkzone complains about "CNAME
and other data".  It turns out that this is because of the old RRSIG
records that cover the RRsets which have been replaced by the CNAME.

AFAICS this check is really not useful, because the signer removes
those RRSIGs and adds the new RRSIG covering the CNAME.  In other
words, "CNAME and other data" should only be flagged when there
actually is other data, not just RRSIGs covering something else than
CNAME.

Also note that the type bit map of the old NSEC RR refers to the
non-CNAME records as well, but that does not trigger the error.

I think that check should be removed.  If that's not possible (maybe I
have overlooked something?), I'd like to have a command line switch
that lets me override this behaviour.

-- 
Alex