So I'm trying to do something that's probably highly experimental and
possibly unsupported by the combination of NSD and named-xfer. But I'm
going to ask here anyway, as the archives don't show anything relevant.
I've got NSD 2.1.2 on FreeBSD 4.10. Compiled with --enable-dnssec and
pointing at the BIND 8.4.5 named-xfer program. I also have a signed zone
(netsec.tislabs.com.) that's signed. I'm trying to get NSD to secondary
the netsec zone.
I'm getting errors when I run nsdc update. zonec is complaining about
unterminated parenthesis and unrecognized RR types. You can see the
error output here:
<http://www.netsec.tislabs.com/conf/buddy/nsdc_update.out>\.
named-xfer _is_ axfer-ing the zone. It doesn't, obviously, understand
the new DNSSEC RR types, so it is storing the zone with the RRs in
unknown RR format. You can see the file that named-xfer writes here:
<http://www.netsec.tislabs.com/conf/buddy/netsec.tislabs.com>\.
Is NSD just not parsing the zone properly? Is named-xfer doing some
wrong? Am I trying to be too cutting-edge? 
Wesley Griffin wrote:
named-xfer _is_ axfer-ing the zone. It doesn't, obviously, understand
the new DNSSEC RR types, so it is storing the zone with the RRs in
unknown RR format. You can see the file that named-xfer writes here:
<http://www.netsec.tislabs.com/conf/buddy/netsec.tislabs.com>\.
The problem here is that the record being transferred is unknown and below the zone cut. So named-xfer tries to comment it out, because it shouldn't exist. Unfortunately, it only comments out the first line resulting in a syntax error.
There is a patch for named-xfer somewhere. But this was one of the main reasons to implement our own AXFR client because DNSSEC will not work without an DNSSEC aware AXFR client.
Is NSD just not parsing the zone properly? Is named-xfer doing some
wrong? Am I trying to be too cutting-edge?
Yes, you are trying to be too cutting-edge, but it will help us find and fix bugs, so please continue
Erik
[Quoting Erik Rozendaal, on Oct 15, 23:29, in "Re: NSD 2.1.2, secon ..."]
There is a patch for named-xfer somewhere. But this was one of the main
The patch for named-xfer is appended.
> Is NSD just not parsing the zone properly? Is named-xfer doing some
> wrong? Am I trying to be too cutting-edge? 
Yes, you are trying to be too cutting-edge, but it will help us find and
fix bugs, so please continue
Agree!
-- ted
Index: named-xfer.c
[Quoting Erik Rozendaal, on Oct 15, 23:29, in "Re: NSD 2.1.2, secon ..."]
> There is a patch for named-xfer somewhere. But this was one of the main
The patch for named-xfer is appended.
Ted, thanks for the patch I now have NSD serving my signed zone as a
secondary.
> > Is NSD just not parsing the zone properly? Is named-xfer doing some
> > wrong? Am I trying to be too cutting-edge?
> Yes, you are trying to be too cutting-edge, but it will help us find and
> fix bugs, so please continue
Agree!
Don't worry, the cutting-edge doesn't scare me I had a feeling that
this was my problem, I just wanted some independent verification. I'll
continue to run NSD in my signed hierarchy and report back any bugs that
I find.