problems with CDS / CDNSKEY consistency checks
I have a test zone with alg. 8 and alg. 13 keys.
I disabled the algorithm 8 ksk:
dnssec-settime -D now -I now Kfanf2.ucam.org.+008+25474.key
I forgot to delete the CDS record and forgot the ZSK.
-
first problem:
namedaccepted this change - the integrity checks did not work
Then named was restarted. It refused to load the zone because the consistency checks failed.
I tried to inspect the zone using named-compilezone because it is in "raw" format. This also failed because of the consistency checks.
-
second problem:
named-compilezonedoes not have an option to disable the CDS consistency checks -
third problem:
namedalso does not have an option to disable the CDS consistency checks
Consequence: I was not able to fix the zone without editing BIND's source code to disable the consistency checks.