dnssec-signzone retains obsolete signatures
daniel.stirnimann at switch.ch
Sat Apr 2 14:07:00 UTC 2016
> While this is not a problem for BIND to load the zone it seems
> unexpected to me. Should dnssec-signzone not remove obsolete signatures?
Found out that this issue is fixed in BIND 9.11.0a1:
4305. [bug] dnssec-signzone was not removing unnecessary rrsigs
from the zone's apex. [RT #41483]
Specifically, it was fixed on the 28th Jan 2016:
I believe the wording "from the zone's apex" is wrong as it removes
unnecessary rrsigs from the whole zone.
More information about the bind-users