Hi,
When using dnssec-signzone manually to sign a zone, I think there is a case where it does not drop the RRSIGs when I think it should. Image that dnssec-signzone is used with the old signed zone's RRSIG/NSEC* data, along with an updated "unsigned" zone. Let's say we are example.com. At T=0 we have in our signed zone: foo.example.com. IN NS ns1.foo.example.com. foo.example.com. IN NS ns2.foo.example.com. ns1.foo.example.com. IN A 1.2.3.4 ns2.foo.example.com. IN A 1.2.3.4 The NS RRset is signed. The A records are not. At T=1, the delegation for foo.example.com is removed, but (to prevent other domains depending on those name servers to not die) the A records are retained. Since this is now orphaned glue, the A records get signed. At T=2, the delegation for foo.example.com is restored. The input zone for dnssec-signzone receives the RRSIGs for the A record, and it should drop these, but instead retains them. I am not sure what happens when they would fall below the re-sign treshold. I believe the correct behaviour should be for dnssec-signzone to drop the RRSIGs of the A records when the delegation got restored. Paul _______________________________________________ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users