I found the following bug:
git.foo.com. IN A 1.2.3.4
git.foo.com. IN SSHFP 1 1 AAACC04AA31DF4A04C11254FB6939A15C3A11B87
Sign the zone
edit the zone and replace the two above records with:
git.foo.com. IN CNAME www
sign the zone. ods-signer refuses because the auditor finds:
Feb 6 15:50:20 nohats ods-auditor[14700]: NSEC includes SSHFP which is not in
rrsets for git.foo.com.
It should just fix the NSEC chain. Did the CNAME confuse it?
Paul
_______________________________________________
Opendnssec-user mailing list
[email protected]
https://lists.opendnssec.org/mailman/listinfo/opendnssec-user
