[ldns-users] ldns-verify-zone two KSK
Tomas Simonaitis
simtom at domreg.lt
Thu Mar 26 11:38:05 UTC 2015
Hello,
ldns-verify-zone (version 1.6.13)
considers signed zone to be invalid when
two KSK keys are present in zone (e.g. during rollover)
but only one key is supplied via -k.
The error is:
"Error: No keys with the keytag and algorithm from the RRSIG found for
DNSKEY"
(LDNS_STATUS_CRYPTO_NO_MATCHING_KEYTAG_DNSKEY).
Using -V 5 shows that failing
Signature:
is RRSIG for ZSK which is signed using DNSKEY not specified via -k.
When checking zone we are supplying only one key via -k (one currently
published in parent).
During KSK rollover there is also second (upcoming) KSK in zone
(without corresponding DS in parent).
Shouldn't such zone be treated as valid by ldns-verify-zone?
Best Regards,
Tomas Simonaitis
More information about the ldns-users
mailing list