Zonesigner decides on its own to include DS for signed childzone.
Affects | Status | Importance | Assigned to | Milestone | |
---|---|---|---|---|---|
dnssec-tools (Ubuntu) |
New
|
Undecided
|
Unassigned |
Bug Description
It seems zonesigner (through dnssec-signzone?) decides to include in the zone being signed, DS-records for subzones/childzones that have key material on disk even though there are NO DS RECORDS in the zone being signed at that time.
This just bit me up the a**e.
DNSSEC tools should NOT mess with my zone data other than adding RRSIGs/DNSKEYs.
Also, this behaviour breaks DNSSEC as prepublishing of DNSKEY material is somewhat impossible this way.
Steps to reproduce:
- Sign example.tld
- Sign sub.example.tld
- Add 'sub IN NS ..' records to example.tld pointing to the same NS-set as example.tld
- Resign example.tld
The DS for sub.example.tld is automatically included.
(Keymaterial for all zones has to be in the same directory, i think this is caused by use of the -S option to dnssec-signzone).