Subject: dnssec-signzone fails to correctly size a zone with data occulted
 by a DNAME
MIME-Version: 1.0
X-Mailer: MIME-tools 5.505 (Entity 5.505)
Content-Disposition: inline
X-RT-Interface: Web
Message-ID: <rt-4.2.8-39912-1489629565-1122.0-0-0@isc.org>
Content-Type: text/plain; charset="utf-8"
Content-Transfer-Encoding: binary
X-RT-Original-Encoding: utf-8
X-RT-Encrypt: 0
X-RT-Sign: 0
Content-Length: 1209

$TTL 300
example.com.    IN SOA  marka.isc.org. a.root.servers.nil. (
                   2026    ; serial
                   600     ; refresh
                   600     ; retry
                   1200    ; expire
                   600     ; minimum
                 )
example.com.            IN DNAME   ns2.smokeyjoe.com.
example.com.            IN NS      ns2.smokeyjoe.com.
foo.example.com.        IN NS      exavider.example.com.
exavider.example.com.   IN A       192.168.0.2

The above zone only has apex records in the zone but dnssec-signzone produces
multiple NSEC records as it has ignored the DNAME record.

[rock:~/git/bind9] marka% bin/dnssec/dnssec-signzone -K . -o example.com junk
Verifying the zone using the following algorithms: RSASHA1.
Zone fully signed:
Algorithm: RSASHA1: KSKs: 1 active, 0 stand-by, 0 revoked
                    ZSKs: 1 active, 0 stand-by, 0 revoked
junk.signed
[rock:~/git/bind9] marka% grep NSEC junk.signed
			600	NSEC	exavider.example.com. NS SOA DNAME RRSIG NSEC DNSKEY
			600	RRSIG	NSEC 5 2 600 (
			600	NSEC	example.com. NS RRSIG NSEC
			600	RRSIG	NSEC 5 3 600 (
			600	NSEC	foo.example.com. A RRSIG NSEC
			600	RRSIG	NSEC 5 3 600 (
[rock:~/git/bind9] marka%