Possible dnssec-signzone re-sign bug with former orphan glue

[Paul Wouters]

Hi,

When using dnssec-signzone manually to sign a zone, I think there is a
case where it does not drop the RRSIGs when I think it should. Image
that dnssec-signzone is used with the old signed zone's RRSIG/NSEC*
data, along with an updated "unsigned" zone.

Let's say we are example.com. At T=0 we have in our signed zone:

foo.example.com. IN NS ns1.foo.example.com.
foo.example.com. IN NS ns2.foo.example.com.
ns1.foo.example.com. IN A 1.2.3.4
ns2.foo.example.com. IN A 1.2.3.4

The NS RRset is signed. The A records are not.

At T=1, the delegation for foo.example.com is removed, but (to prevent
other domains depending on those name servers to not die) the A records
are retained. Since this is now orphaned glue, the A records get signed.

At T=2, the delegation for foo.example.com is restored. The input zone
for dnssec-signzone receives the RRSIGs for the A record, and it should
drop these, but instead retains them. I am not sure what happens when
they would fall below the re-sign treshold.

I believe the correct behaviour should be for dnssec-signzone to drop
the RRSIGs of the A records when the delegation got restored.

Paul