Hi,
I just ran into a little bug where I had a zone that contained a DS
record for a delegation, but mistakenly did not include any NS records
for that delegation.
ldns-read-zone sees no problem with this zone and nsd zonec compiler
compiled this zone without an error. I guess zonec does not perform any
checks, but ldns-readzone should probably through an error.
Bind's named-checkzone passed the zone as valid, however bind's
dnssec-signzone refused to sign this zone.
I'm not sure what the proper behaviour should be in this case. Though
I would prefer that named-checkzone would not OK anything that
dnssec-signzone refuses to sign.
Paul
Paul Wouters wrote:
Hi,
I just ran into a little bug where I had a zone that contained a DS
record for a delegation, but mistakenly did not include any NS records
for that delegation.
ldns-read-zone sees no problem with this zone and nsd zonec compiler
compiled this zone without an error. I guess zonec does not perform any
checks, but ldns-readzone should probably through an error.
zonec is indeed not smart enough to detect this mismatch. It works on a
garbage in, garbage out basis. I think ldns-verify-zone should cover
this, not ldns-read-zone.
Bind's named-checkzone passed the zone as valid, however bind's
dnssec-signzone refused to sign this zone.
I'm not sure what the proper behaviour should be in this case. Though
I would prefer that named-checkzone would not OK anything that
dnssec-signzone refuses to sign.
+1
Did you ever try to run ldns-verify-zone on a real production zone (eg TLD 
It's so slow, it is useless for anything but small zones.
Paul