Skip to content

Allow unsupported algorithms in zone when not used for signing

Summary

If you have a DNSKEY with an unsupported algorithm in your zone, dnssec-signzone refuses to sign the zone.

BIND version used

9.13.5

Steps to reproduce

Have a DSA public key stored in a file dsa.key. Have an unsigned zone file for example root.db. Then create a key for signing and sign the zone with it.

dnssec-keygen -a rsasha256 -qfk .
dnssec-keygen -a rsasha256 -q .
cat dsa.key >> root.db
dnssec-signzone -S -o . root.db K.+008+57997 K.+008+46623

This will output:

dnssec-signzone: fatal: failed to load the zone keys: algorithm is unsupported

What is the current bug behavior?

dnssec-signzone encounters a fatal error and refuses to sign the zone.

What is the expected correct behavior?

dnssec-signzone should sign the zone regardless of the algorithms used in the DNSKEY RRset.

Relevant configuration files

N/A

Relevant logs and/or screenshots

N/A

To upload designs, you'll need to enable LFS and have an admin enable hashed storage. More information