This has now been fixed in git master and it will be part of any future release.
Also please note that we found that knot dns has transfered all records successfully, it just didn't dump all of them to the zonefile. Cheers, -- Ondřej Surý <[email protected]> Knot DNS (https://www.knot-dns.cz/) – a high-performance DNS server Knot Resolver (https://www.knot-resolver.cz/) – secure, privacy-aware, fast DNS(SEC) resolver Vše pro chleba (https://vseprochleba.cz) – Mouky ze mlýna a potřeby pro pečení chleba všeho druhu On Mon, Nov 14, 2016, at 14:22, Peter Palfrader wrote: > severity 844261 minor > thanks > > On Mon, 14 Nov 2016, Ondřej Surý wrote: > > > while I pretty much agree that Knot DNS should not be dropping the > > RRSIGs, could you > > try resigning the zone correctly and trying again? > > > > ondrej@komorebi:/tmp/knot-failed-xfr$ ldns-verify-zone ax.txt > > Error: no signatures for sl.bilke.org. SOA > > Error: Bogus DNSSEC signature for sl.bilke.org. DNSKEY > > There were errors in the zone > > > > ondrej@komorebi:/tmp/knot-failed-xfr$ /usr/sbin/dnssec-verify -o > > sl.bilke.org ax.txt > > Loading zone 'sl.bilke.org' from file 'ax.txt' > > dnssec-verify: fatal: SOA is not signed (keys offline or inactive?) > > Interesting, thanks a lot for pointing in the right direction. It turns > out, the zone was signed by the zone owner using a bind inline signing > with only partial access to the rolling key material. > > I still think the diagnostics on knot's part could be improved also. > So, it shouldn't drop some of the RRSIGs, and/or maybe it should log > when it doesn't like the zone? > > Cheers, > weasel > -- > | .''`. ** Debian ** > Peter Palfrader | : :' : The universal > https://www.palfrader.org/ | `. `' Operating System > | `- https://www.debian.org/
