[ldns-users] zones with a DS record without corresponding NS records

Paul Wouters paul at xelerance.com
Sat Jul 4 02:38:03 UTC 2009


Hi,

I just ran into a little bug where I had a zone that contained a DS
record for a delegation, but mistakenly did not include any NS records
for that delegation.

ldns-read-zone sees no problem with this zone and nsd zonec compiler
compiled this zone without an error. I guess zonec does not perform any
checks, but ldns-readzone should probably through an error.

Bind's named-checkzone passed the zone as valid, however bind's
dnssec-signzone refused to sign this zone.

I'm not sure what the proper behaviour should be in this case. Though
I would prefer that named-checkzone would not OK anything that
dnssec-signzone refuses to sign.

Paul



More information about the ldns-users mailing list