Hi, I just found quite serious bug in dnssec-signzone :-(. dnssec-signzone quietly drops DS records when -g switch is used (generate DS records).
Commands used: Without -g: # dnssec-signzone -v 255 -s 20080901000000 -e 20080930235900 -k Kcz.+005+36397.key -o cz -f cz.signed.plain cz.example Kcz.+005+16902.key 2>dnssec-signzone.log.plain With -g: dnssec-signzone -g -v 255 -s 20080901000000 -e 20080930235900 -k Kcz.+005+36397.key -o cz -f cz.signed.gends cz.example Kcz.+005+16902.key 2>dnssec-signzone.log.gends Attached files: - cz.example (stripped down .cz zone) - cz.signed.* - dnssec-signzone.log.* - cz.signed.diff (diff of cz.signed.plain and cz.signed.gends) - dnssec-signzone.log.diff (diff of dnssec-signzone.log.plain and dnssec-signzone.log.gends) Notice that dnssec-signzone.log.gends doesn't even mention DS record of dnssec.cz, looks like there is some IF DS THEN SKIP code when -g is used. Regards, Ondrej. -- Ondřej Surý technický ředitel/Chief Technical Officer ----------------------------------------- CZ.NIC, z.s.p.o. -- .cz domain registry Americká 23,120 00 Praha 2,Czech Republic mailto:[EMAIL PROTECTED] http://nic.cz/ sip:[EMAIL PROTECTED] tel:+420.222745110 mob:+420.739013699 fax:+420.222745112 -----------------------------------------
