16 lines
846 B
Plaintext
16 lines
846 B
Plaintext
dnssec-signzone was designed so that it could sign a zone partially, using
|
|
only a subset of the DNSSEC keys needed to produce a fully-signed zone.
|
|
This permits a zone administrator, for example, to sign a zone with one
|
|
key on one machine, move the resulting partially-signed zone to a second
|
|
machine, and sign it again with a second key.
|
|
|
|
An unfortunate side-effect of this flexibility is that dnssec-signzone
|
|
does not check to make sure it's signing a zone with any valid keys at
|
|
all. An attempt to sign a zone without any keys will appear to succeed,
|
|
producing a "signed" zone with no signatures. There is no warning issued
|
|
when a zone is not signed.
|
|
|
|
This will be corrected in a future release. In the meantime, ISC
|
|
recommends examining the output of dnssec-signzone to confirm that
|
|
the zone is properly signed by all keys before using it.
|