freebsd-nq/contrib/bind9/KNOWN-DEFECTS

dnssec-signzone was designed so that it could sign a zone partially, using
only a subset of the DNSSEC keys needed to produce a fully-signed zone.
This permits a zone administrator, for example, to sign a zone with one
key on one machine, move the resulting partially-signed zone to a second
machine, and sign it again with a second key.

An unfortunate side-effect of this flexibility is that dnssec-signzone
does not check to make sure it's signing a zone with any valid keys at
all.  An attempt to sign a zone without any keys will appear to succeed,
producing a "signed" zone with no signatures.  There is no warning issued
when a zone is not signed.

This will be corrected in a future release.  In the meantime, ISC
recommends examining the output of dnssec-signzone to confirm that
the zone is properly signed by all keys before using it.
Vendor import of BIND 9.6.1 2009-06-25 18:50:46 +00:00			`dnssec-signzone was designed so that it could sign a zone partially, using`
			`only a subset of the DNSSEC keys needed to produce a fully-signed zone.`
			`This permits a zone administrator, for example, to sign a zone with one`
			`key on one machine, move the resulting partially-signed zone to a second`
			`machine, and sign it again with a second key.`

			`An unfortunate side-effect of this flexibility is that dnssec-signzone`
			`does not check to make sure it's signing a zone with any valid keys at`
			`all. An attempt to sign a zone without any keys will appear to succeed,`
			`producing a "signed" zone with no signatures. There is no warning issued`
			`when a zone is not signed.`

			`This will be corrected in a future release. In the meantime, ISC`
			`recommends examining the output of dnssec-signzone to confirm that`
			`the zone is properly signed by all keys before using it.`