diff options
Diffstat (limited to 'KNOWN-DEFECTS')
| -rw-r--r-- | KNOWN-DEFECTS | 15 |
1 files changed, 15 insertions, 0 deletions
diff --git a/KNOWN-DEFECTS b/KNOWN-DEFECTS new file mode 100644 index 000000000000..83d71759740e --- /dev/null +++ b/KNOWN-DEFECTS @@ -0,0 +1,15 @@ +dnssec-signzone was designed so that it could sign a zone partially, using +only a subset of the DNSSEC keys needed to produce a fully-signed zone. +This permits a zone administrator, for example, to sign a zone with one +key on one machine, move the resulting partially-signed zone to a second +machine, and sign it again with a second key. + +An unfortunate side-effect of this flexibility is that dnssec-signzone +does not check to make sure it's signing a zone with any valid keys at +all. An attempt to sign a zone without any keys will appear to succeed, +producing a "signed" zone with no signatures. There is no warning issued +when a zone is not signed. + +This will be corrected in a future release. In the meantime, ISC +recommends examining the output of dnssec-signzone to confirm that +the zone is properly signed by all keys before using it. |