I ran into a corner case where opendnssec and bind showed different behaviour.
There was a domain that expired that had glue records. These records got signed after the NS records were removed. A few days later, the owner restored the domain, making the glue "adopted" again. The RRSIGs were not removed by bind (dnssec-signzone with feeding old RRSIGS back to it for filtering). They were removed by opendnssec. Which approach is more correct"? I am leaning towards opendnssec. (and if there are bind/opendnssec devs here, how to I get these two signers to behave the same regarding this issue, to avoid hitting a false positive of a broken signer engine) Paul _______________________________________________ DNSOP mailing list [email protected] https://www.ietf.org/mailman/listinfo/dnsop
