Some dnssec-signzone questions

Torinthiel torinthiel at
Tue Feb 1 14:37:18 UTC 2011

I have three questions regarding dnssec-signzone:

To clarify things, I'm using BIND 9.7.2-P2.

First is about input file: you can specify on the command line either the 
signed version of the zone, or the unsigned one.
What I'd like to do hovever, is to use both.
The unsigned zone is much more readable, and can contain $INCLUDE directives,
 which makes modification easier.
But specifying the signed zone has added benefit of reusing existing 
signatures, thus saving on computation time (not that I have a lot to save 
on ;). So, I'd like dnssec-signzone to take 'normal' records from non-signed 
zone, try to reuse RRSIG records as much as possible, taking them from 
signed zone, and write the result.
Is this possible with dnssec-signzone? Other than writing a custom tool to 
filter only NSEC/RRSIG records from .signed and appending this file to 
unsigned zone?
Which might not be that hard, probably a simple sed script would do.

Another is about key management and -S option:
Guessing by what I've read in the man page -S should use key metadata to 
decide when to include/exclude/use/revoke the key.
However, I've been unable to make it work. I have 2 KSK keys, one of them 
set to revoke in the past, as dnssec-settime kindly tells me.
But, when I do dnssec-signzone -S on the unsigned file, I get error message:
dnssec-signzone: fatal: cannot find DNSKEY RRSIGs
and nothing is signed.
dnssec-signzone without -S can properly sign the zone, ignoring revokation 
Then, I do dnssec-signzone -S on the signed file, which only retains old 
signatures, also happily ignoring revokation time.
What am I doing wrong, why it fails to behave as I'd expect?

Third is about -N option:
a well established practice (although I don't know what was the origin) is 
to set SOA serial number to eg 2011020101, which is current day and 
two-digit of daily version. This has benefit of being almost as good as 
putting unixtime of last modification, while being much more human-readable. 
How difficult would it be to implement this for  dnssec-signzone -N, using a 
fourth format specifier?


More information about the bind-users mailing list