Hello Jan
Thank you for this great release. I had a look at the new kzonecheck
command line tool and I think I found a few bugs.
To test out kzonecheck I manually signed a test zone with
dnssec-signzone: dnssec-signzone -f - -z
8.example.com >
8.example.com.signed
kzonecheck finds a few errors in this zone which I think is a bug.
kzonecheck -v -o
8.example.com 8.example.com.signed
record 'bar2.8.example.com': GLUE, record with glue address missing
record 'foo.8.example.com': NSEC, missing record
ERROR SUMMARY:
Count Error
1 NSEC, missing record
1 GLUE, record with glue address missing
* Missing NSEC record. I think kzonecheck expects for the ENT record
foo an NSEC record!
* Missing GLUE record. I think it expects for the delegation of bar2 a
glue record for nameserver
ns2.bar.8.example.com. This is wrong as well.
8.example.com zone file
-----------------------
$TTL 86400 ; (1 day)
$ORIGIN
8.example.com.
$INCLUDE K8.example.com.+008+40162.key;
@ IN SOA
ns1.example.com.
hostmaster.example.com. (
2014012401 ; serial YYYYMMDDnn
14400 ; refresh (4 hours)
1800 ; retry (30 minutes)
1209600 ; expire (2 weeks)
3600 ; minimum (1 hour)
)
172800 IN NS ns1.switch.ch.
172800 IN NS ns2.switch.ch.
test.foo IN A 192.168.1.1
test2.foo IN A 192.168.1.2
bar IN NS
ns1.bar.8.example.com.
ns1.bar IN A 192.168.1.1
bar2 IN NS
ns2.bar.8.example.com.
Daniel