DNSSEC's sorted zone

Paul Wouters paul at xelerance.com
Wed Jan 12 20:19:53 UTC 2011

On Wed, 12 Jan 2011, Mark Elkins wrote:

> dnssec-signzone  -3 "abcd" -o example.com -p -t -A -d keyset -g -a -N
> increment -s 20110111161553 -e 20110210161553 -f example.com.sign-1
> example.com.signed
> A minute later - I run the same command - but output to a different
> file...   -f example.com.sign-2
> A 'diff' of the two output files gives lots of differences - apart from
> the zone creation time.
> If I include the "-n ncpus" as "-n 1" - then the files are the same
> (except for the creation time).
> I believe that the data is fundamentally the same - but it is partially
> re-ordered if there are multiple threads. This is not what I would have
> expected - having had it been drummed into me that dnssec-signzone will
> first sort the zone then generate all the RRSIG records - etc...
> I find this disturbing. It appears to only be doing this on CNAME
> records.

I'd recommend preprocessing the zone with ldns-read-zone, which also sorts
and canonicalises the zone. Later on, you can then also use this command
to seperate unsigned data from dnssec, and merge in data (eg updates)
from multiple zone versions while re-using previous RRSIGs


More information about the bind-users mailing list