[ldns-users] ldns-verify-zone two KSK

Tomas Simonaitis simtom at domreg.lt
Thu Mar 26 11:38:05 UTC 2015


ldns-verify-zone (version 1.6.13)
considers signed zone to be invalid when
two KSK keys are present in zone (e.g. during rollover)
but only one key is supplied via -k.

The error is:
"Error: No keys with the keytag and algorithm from the RRSIG found for 

Using -V 5 shows that failing
is RRSIG for ZSK which is signed using DNSKEY not specified via -k.

When checking zone we are supplying only one key via -k (one currently 
published in parent).
During KSK rollover there is also second (upcoming) KSK in zone
(without corresponding DS in parent).

Shouldn't such zone be treated as valid by ldns-verify-zone?

Best Regards,
Tomas Simonaitis

More information about the ldns-users mailing list