On Thu, 13 Jan 2011, Mark Andrews wrote:
dnssec-signzone uses multiple threads to sign the zone a node at a
time. These work items finish in a non-deterministic manner leading
to a different order in the resulting text file being produced.
This is done after the zone was sorted to generate the NSEC records.
So post-processing with ldns-read-zone would allow one to see the actual
differences.
I'd recommend preprocessing the zone with ldns-read-zone, which also sorts
and canonicalises the zone. Later on, you can then also use this command
to seperate unsigned data from dnssec, and merge in data (eg updates)
from multiple zone versions while re-using previous RRSIGs
Firstly there is no need to pre-sort the zone. If one want to
canonicalises the zone named-checkzone will do that fine.
dnssec-signzone will workout if it needs to regenerate signatures
or preserve the existing signatures.
In the setup i described, you get a new unsigned zone and you need
to merge it with the signed zone, hence the pre-processing.
(this is requires for on offline signers, where the private ZSK is not
available)
Paul
_______________________________________________
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users
