Dear all, I have the following test zone files:
8.example.com.signed K8.example.com.+008+40162.key K8.example.com.+008+40162.private I edit the signed zone directly (8.example.com.signed) and remove for example an A record and then resign the zone as following: dnssec-signzone -z -o 8.example.com. -f 8.example.com.signed2 8.example.com.signed The resigned zone (8.example.com.signed2) has updated the NSEC chain but the RRSIG for the removed A record retains. While this is not a problem for BIND to load the zone it seems unexpected to me. Should dnssec-signzone not remove obsolete signatures? Daniel _______________________________________________ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users