dnssec-signzone, dsset files and deleted KSK's

John Marshall john.marshall at riverwillow.com.au
Thu Aug 2 23:28:46 UTC 2012

Context: BIND 9.8.3-P2

If dnssec-signzone is invoked with -S (smart signing), it examines keys
in the key repository directory (-K) and selects only current keys for
inclusion in the zone. That works well. It also generates DS records for
the parent zone and lands them in a dsset file in (-d).

The behaviour of the dsset file generation appears to be unaffected by
the smart signing switch (-S). The generated dsset file includes all
KSK's found in the key repository (-K) irrespective of any timing
metadata (e.g. deleted). The dnssec-settime(8) manual says that deleted
keys may remain in the key repository but the only way to exclude
deleted KSK's from the dsset file seems to be to remove them from the
key repository directory.

Am I not driving this properly?

Thank you.

John Marshall

More information about the bind-users mailing list