[Pkg-dns-devel] Bug#844261: Bug#844261: does not correctly transfer zone - drops at least some RRSIGs

Ondřej Surý ondrej at sury.org
Mon Nov 14 01:35:12 UTC 2016 

Peter,

while I pretty much agree that Knot DNS should not be dropping the
RRSIGs, could you
try resigning the zone correctly and trying again?

ondrej at komorebi:/tmp/knot-failed-xfr$ ldns-verify-zone ax.txt 
Error: no signatures for sl.bilke.org.  SOA
Error: Bogus DNSSEC signature for sl.bilke.org. DNSKEY
There were errors in the zone

ondrej at komorebi:/tmp/knot-failed-xfr$ /usr/sbin/dnssec-verify -o
sl.bilke.org ax.txt 
Loading zone 'sl.bilke.org' from file 'ax.txt'
dnssec-verify: fatal: SOA is not signed (keys offline or inactive?)

Cheers,
-- 
Ondřej Surý <ondrej at sury.org>
Knot DNS (https://www.knot-dns.cz/) – a high-performance DNS server
Knot Resolver (https://www.knot-resolver.cz/) – secure, privacy-aware,
fast DNS(SEC) resolver
Vše pro chleba (https://vseprochleba.cz) – Mouky ze mlýna a potřeby pro
pečení chleba všeho druhu

On Sun, Nov 13, 2016, at 22:04, Peter Palfrader wrote:
> Package: knot
> Version: 2.3.1-1~bpo8+1
> Severity: important
> 
> Hi,
> 
> I am secondary for a zone, sl.bilke.org, that is transferred via tsig
> protected zone transfer.
> 
> Now it stopped returning RRSIG, and it turns out, it doesn't even store
> them in its copy of the zone file.  For resting purposes I have removed
> the .zone and .db and issued a re-transfer.
> 
> I have attached the .zone file knot wrote and a dig axfr output.  You
> can see they differ.
> 
> It would be good if knot would keep those RRSIGs around and serve them
> on request.
> -- 
>                             |  .''`.       ** Debian **
>       Peter Palfrader       | : :' :      The  universal
>  https://www.palfrader.org/ | `. `'      Operating System
>                             |   `-    https://www.debian.org/
> _______________________________________________
> pkg-dns-devel mailing list
> pkg-dns-devel at lists.alioth.debian.org
> https://lists.alioth.debian.org/mailman/listinfo/pkg-dns-devel
> Email had 2 attachments:
> + sl.bilke.org.zone
>   20k (application/octet-stream)
> + ax
>   39k (text/plain)

More information about the pkg-dns-devel mailing list