dnssec-signzone retains obsolete signatures
Daniel Stirnimann
daniel.stirnimann at switch.ch
Tue Mar 22 10:57:53 UTC 2016
Dear all,
I have the following test zone files:
8.example.com.signed
K8.example.com.+008+40162.key
K8.example.com.+008+40162.private
I edit the signed zone directly (8.example.com.signed) and remove for
example an A record and then resign the zone as following:
dnssec-signzone -z -o 8.example.com. -f 8.example.com.signed2
8.example.com.signed
The resigned zone (8.example.com.signed2) has updated the NSEC chain but
the RRSIG for the removed A record retains.
While this is not a problem for BIND to load the zone it seems
unexpected to me. Should dnssec-signzone not remove obsolete signatures?
Daniel
More information about the bind-users
mailing list