DNSSEC's sorted zone

Paul Wouters paul at xelerance.com
Thu Jan 13 00:46:31 UTC 2011

On Thu, 13 Jan 2011, Mark Andrews wrote:

> dnssec-signzone uses multiple threads to sign the zone a node at a
> time.  These work items finish in a non-deterministic manner leading
> to a different order in the resulting text file being produced.
> This is done after the zone was sorted to generate the NSEC records.

So post-processing with ldns-read-zone would allow one to see the actual

>> I'd recommend preprocessing the zone with ldns-read-zone, which also sorts
>> and canonicalises the zone. Later on, you can then also use this command
>> to seperate unsigned data from dnssec, and merge in data (eg updates)
>> from multiple zone versions while re-using previous RRSIGs
> Firstly there is no need to pre-sort the zone.  If one want to
> canonicalises the zone named-checkzone will do that fine.
> dnssec-signzone will workout if it needs to regenerate signatures
> or preserve the existing signatures.

In the setup i described, you get a new unsigned zone and you need
to merge it with the signed zone, hence the pre-processing.

(this is requires for on offline signers, where the private ZSK is not


More information about the bind-users mailing list