Peter, while I pretty much agree that Knot DNS should not be dropping the RRSIGs, could you try resigning the zone correctly and trying again?
ondrej@komorebi:/tmp/knot-failed-xfr$ ldns-verify-zone ax.txt Error: no signatures for sl.bilke.org. SOA Error: Bogus DNSSEC signature for sl.bilke.org. DNSKEY There were errors in the zone ondrej@komorebi:/tmp/knot-failed-xfr$ /usr/sbin/dnssec-verify -o sl.bilke.org ax.txt Loading zone 'sl.bilke.org' from file 'ax.txt' dnssec-verify: fatal: SOA is not signed (keys offline or inactive?) Cheers, -- Ondřej Surý <[email protected]> Knot DNS (https://www.knot-dns.cz/) – a high-performance DNS server Knot Resolver (https://www.knot-resolver.cz/) – secure, privacy-aware, fast DNS(SEC) resolver Vše pro chleba (https://vseprochleba.cz) – Mouky ze mlýna a potřeby pro pečení chleba všeho druhu On Sun, Nov 13, 2016, at 22:04, Peter Palfrader wrote: > Package: knot > Version: 2.3.1-1~bpo8+1 > Severity: important > > Hi, > > I am secondary for a zone, sl.bilke.org, that is transferred via tsig > protected zone transfer. > > Now it stopped returning RRSIG, and it turns out, it doesn't even store > them in its copy of the zone file. For resting purposes I have removed > the .zone and .db and issued a re-transfer. > > I have attached the .zone file knot wrote and a dig axfr output. You > can see they differ. > > It would be good if knot would keep those RRSIGs around and serve them > on request. > -- > | .''`. ** Debian ** > Peter Palfrader | : :' : The universal > https://www.palfrader.org/ | `. `' Operating System > | `- https://www.debian.org/ > _______________________________________________ > pkg-dns-devel mailing list > [email protected] > https://lists.alioth.debian.org/mailman/listinfo/pkg-dns-devel > Email had 2 attachments: > + sl.bilke.org.zone > 20k (application/octet-stream) > + ax > 39k (text/plain)
