Public bug reported: It seems zonesigner (through dnssec-signzone?) decides to include in the zone being signed, DS-records for subzones/childzones that have key material on disk even though there are NO DS RECORDS in the zone being signed at that time.
This just bit me up the a**e. DNSSEC tools should NOT mess with my zone data other than adding RRSIGs/DNSKEYs. Also, this behaviour breaks DNSSEC as prepublishing of DNSKEY material is somewhat impossible this way. Steps to reproduce: - Sign example.tld - Sign sub.example.tld - Add 'sub IN NS ..' records to example.tld pointing to the same NS-set as example.tld - Resign example.tld The DS for sub.example.tld is automatically included. (Keymaterial for all zones has to be in the same directory, i think this is caused by use of the -S option to dnssec-signzone). ** Affects: dnssec-tools (Ubuntu) Importance: Undecided Status: New -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1075156 Title: Zonesigner decides on its own to include DS for signed childzone. To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/dnssec-tools/+bug/1075156/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs