Hi, I'm experimenting with .signconf files for 2.0 using the <Passthrough/> flag, and while playing around I've also checked signconf.rng to see the syntax.
Even with the <Passthrough/> flag for a zone, the syntax for .signconf files demands quite a bit of signing setup: - Signatures/* - Denial/NSEC3/Hash/* or Denial/NSEC - Keys/TTL The need for SOA/* makes sense, but the others are not as clear to me. Why are they still required by the .signconf syntax? Are they still used in any way? I also found that DNSKEY entries are preserved when they occur in the .signed file. Are these unexpected things just accidentally retained, or are they in the interest of keeping key material around for a while? If so, isn't that taking care of things that the Enforcer (and so the .signconf file) should take care of? Thanks, -Rick _______________________________________________ Opendnssec-user mailing list [email protected] https://lists.opendnssec.org/mailman/listinfo/opendnssec-user
