On 03/08/2012 18:00, John Marshall wrote: > On 03/08/2012 09:28, John Marshall wrote: >> The behaviour of the dsset file generation appears to be unaffected by >> the smart signing switch (-S). The generated dsset file includes all >> KSK's found in the key repository (-K) irrespective of any timing >> metadata (e.g. deleted). The dnssec-settime(8) manual says that deleted >> keys may remain in the key repository but the only way to exclude >> deleted KSK's from the dsset file seems to be to remove them from the >> key repository directory. > > I have upgraded to BIND 9.9.1-P2 and see the same behaviour there as > well. Unless I am missing something obvious, it seems that the only way > to avoid having "dnssec-signzone -g" for a parent zone pick up stale DS > records from dsset files generated by "dnssec-signzone -S" for the child > zones is to remove deleted KSK's from the (-K) key repository directory > prior to signing the child zones.
Also the NSEC3 signing option warns about missing DNSKEYs in the zone before smart signing has had a chance to put them in. It's only a warning message and everything works but it seems that there are a couple of bits of dnssec-signzone that haven't caught up with smart signing. # dnssec-signzone \ -d /path/to/dssets \ -g \ -K /path/to/keys \ -S \ -3 53414954 \ -o riverwillow.com.au. riverwillow.com.au dnssec-signzone: warning: NSEC3 generation requested with no DNSKEY; ignoring Fetching ZSK 4161/RSASHA256 from key repository. Fetching KSK 6055/RSASHA256 from key repository. Fetching KSK 59433/NSEC3RSASHA1 from key repository. Fetching ZSK 15482/NSEC3RSASHA1 from key repository. Verifying the zone using the following algorithms: NSEC3RSASHA1 RSASHA256. Zone signing complete: Algorithm: NSEC3RSASHA1: KSKs: 1 active, 0 stand-by, 0 revoked ZSKs: 1 active, 0 stand-by, 0 revoked Algorithm: RSASHA256: KSKs: 1 active, 0 stand-by, 0 revoked ZSKs: 1 active, 0 stand-by, 0 revoked riverwillow.com.au.signed -- John Marshall _______________________________________________ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users