> We are getting the error while verify the opendnssec signed > zone file - " A has signature(s), but is occluded (or glue)"
Yep, I see what's going on. > Following is the test cases done on the opendnssec server. I am > not sure, it is a bug or do we need to follow some procedure to > avoid this issue. Please suggest. In general, the remedy for this is to remove non-glue non-authoritative data from your un-signed zone. However... It seems that the operations you are performing, in particular going from #2 where the site1.example.com delegation has been removed to re-introducing site1.example.com as a delegated zone in step #3 is changing the "glueness" of the A records for ns1.site1.example.com. ns2.site1.example.com. and it's entirely possible that OpenDNSSEC doesn't handle that correctly, and instead retains the signatures for those A records which were (correctly) computed in step #2. A possible workaround is to remove both the delegation of site1.example.com and the glue records, have OpenDNSSEC sign that zone, and then re-introduce both at the same time and have OpenDNSSEC do a new signing operation. Best regards, - HÃ¥vard _______________________________________________ Opendnssec-user mailing list [email protected] https://lists.opendnssec.org/mailman/listinfo/opendnssec-user
