On Wed, 12 Jan 2011, Mark Elkins wrote:
dnssec-signzone -3 "abcd" -o example.com -p -t -A -d keyset -g -a -N
increment -s 20110111161553 -e 20110210161553 -f example.com.sign-1
example.com.signed
A minute later - I run the same command - but output to a different
file... -f example.com.sign-2
A 'diff' of the two output files gives lots of differences - apart from
the zone creation time.
If I include the "-n ncpus" as "-n 1" - then the files are the same
(except for the creation time).
I believe that the data is fundamentally the same - but it is partially
re-ordered if there are multiple threads. This is not what I would have
expected - having had it been drummed into me that dnssec-signzone will
first sort the zone then generate all the RRSIG records - etc...
I find this disturbing. It appears to only be doing this on CNAME
records.
I'd recommend preprocessing the zone with ldns-read-zone, which also sorts
and canonicalises the zone. Later on, you can then also use this command
to seperate unsigned data from dnssec, and merge in data (eg updates)
from multiple zone versions while re-using previous RRSIGs
Paul
_______________________________________________
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users
