Bug #44889 for bind9-public: dnssec-signzone fails to correctly sign a zone with data occulted by a DNAME

Wed, 15 Mar 2017 21:59:26 -0400 Mark Andrews <marka@isc.org> - Ticket created

Subject:

dnssec-signzone fails to correctly size a zone with data occulted by a DNAME

$TTL 300 example.com. IN SOA marka.isc.org. a.root.servers.nil. ( 2026 ; serial 600 ; refresh 600 ; retry 1200 ; expire 600 ; minimum ) example.com. IN DNAME ns2.smokeyjoe.com. example.com. IN NS ns2.smokeyjoe.com. foo.example.com. IN NS exavider.example.com. exavider.example.com. IN A 192.168.0.2 The above zone only has apex records in the zone but dnssec-signzone produces multiple NSEC records as it has ignored the DNAME record. [rock:~/git/bind9] marka% bin/dnssec/dnssec-signzone -K . -o example.com junk Verifying the zone using the following algorithms: RSASHA1. Zone fully signed: Algorithm: RSASHA1: KSKs: 1 active, 0 stand-by, 0 revoked ZSKs: 1 active, 0 stand-by, 0 revoked junk.signed [rock:~/git/bind9] marka% grep NSEC junk.signed 600 NSEC exavider.example.com. NS SOA DNAME RRSIG NSEC DNSKEY 600 RRSIG NSEC 5 2 600 ( 600 NSEC example.com. NS RRSIG NSEC 600 RRSIG NSEC 5 3 600 ( 600 NSEC foo.example.com. A RRSIG NSEC 600 RRSIG NSEC 5 3 600 ( [rock:~/git/bind9] marka%

Wed, 15 Mar 2017 21:59:53 -0400 Mark Andrews <marka@isc.org> - Subject changed from 'dnssec-signzone fails to correctly size a zone with data occulted by a DNAME' to 'dnssec-signzone fails to correctly sign a zone with data occulted by a DNAME'

Wed, 15 Mar 2017 22:03:53 -0400 Mark Andrews <marka@isc.org> - Member #44890: check that named correctly signs a zone with data occulted by a DNAME added

Mon, 10 Jul 2017 14:38:26 -0400 Vicky Risk <vicky@isc.org> - Queue changed from #6 to bind9-public

Created:	Wed, 15 Mar 2017 21:59:25 -0400
Updated:	Mon, 10 Jul 2017 14:38:26 -0400
Closed:	Not set

Bug #44889 for bind9-public: dnssec-signzone fails to correctly sign a zone with data occulted by a DNAME

This bug tracker is no longer active.