On Thu, 18 Oct 2012, Matthijs Mekking wrote:
This is acknowledged as an operator error:
After comparing the unsigned file with the signed one, I have found
where the problem is, It's the unsigned zone files' fault, because
there is a bug in the script which generates the zone files, some of
the RRs doubles,so the signed file must contain less RRs than the
unsigned one.
Thanks Stuart for letting us know this has been resolved.
Related (and imho a bug), if you introduce a zone error in the unsigned
zone, it does not ignore the unsigned data, but instead stops working
fully.
eg, add:
dname.example.com. DNAME foo.bar.
dname.example.com. CNAME foo.bar.
You can't have cnames and dnames at the same level, so it is rightfully
ignored, but IMHO no reason to stop signing the rest, or at least keep
resigning the signed zone and not taking input from the new unsigned
zone.
Paul
_______________________________________________
Opendnssec-user mailing list
[email protected]
https://lists.opendnssec.org/mailman/listinfo/opendnssec-user
