GitLab

I have a test zone with alg. 8 and alg. 13 keys.

I disabled the algorithm 8 ksk:

dnssec-settime -D now -I now Kfanf2.ucam.org.+008+25474.key

I forgot to delete the CDS record and forgot the ZSK.

• first problem: named accepted this change - the integrity checks did not work

Then named was restarted. It refused to load the zone because the consistency checks failed.

I tried to inspect the zone using named-compilezone because it is in "raw" format. This also failed because of the consistency checks.

• second problem: named-compilezone does not have an option to disable the CDS consistency checks

• third problem: named also does not have an option to disable the CDS consistency checks

Consequence: I was not able to fix the zone without editing BIND's source code to disable the consistency checks.