Bind signing with dnssec-signzone currently does not include and sign DS RR for fully delegated zones
Description
I want to fully delegate multiple subdomains from a parent zone onto their own servers, including full delegation of DNSSEC, so that the delegated zone can generate their own keying material and share this with the parent (out of band initially, but later via rfc8078).
So the parent zone would be example.com
Under this there'd be multiple fully delegated subdomains sub1.example.com sub2.example.com etc.
In order to properly delegate DNSSEC and ensure a proper chain of trust, there needs to be DS records plus a signed RRSIG DS RR from sub1.example.com and sub2.example.com in the example.com zone.
When I try to sign the zone manually using bind 9.14.2
sudo dnssec-signzone -S -K /etc/bind/keys/ -g -a -o example.com fwd.example.com.db
the zone is signed properly, but there's no DS RR or RRSIG DS records included in fwd.example.com.db.signed.
The rest of the signing works fine, so it looks like DS RR are being treated specially (read but filtered) by the current latest version of bind.
When I try the same in knotd using identical zone files as input + auto signing, everything works as expected.
Sample input
cat fwd.example.com.zone.db.unsigned |egrep 'DS|NS'|grep -v CDS|grep -v DNSKEY
sub1.example.com. 3600 IN NS ns1.example.com.
sub1.example.com. 3600 IN NS ns2.example.com.
sub1.example.com. DS 62729 8 2 b9a3f8d090969888671fe9a8b4daa306c900c738d9c7f0946c24c13f43959f0b
sub1.example.com. DS 62729 8 4 93d99d3c5c0c30addc8b1df93e94dc9b5954e2bb0545126c97df05cdb6de25674f708eacef253a4b195fb3255d731923
Sample output (of course these keys won't match real results as this isn't a real example.com zone file)
more example.com.zone |egrep 'DS|NS'|grep -v CDS|grep -v DNSKEY
example.com. 3600 NS ns1.example.com.
example.com. 3600 NS ns2.example.com.
sub1.example.com. 3600 NS ns1.example.com.
sub1.example.com. 3600 DS 62729 8 2 B9A3F8D090969888671FE9A8B4DAA306C900C738D9C7F0946C24C13F43959F0B
sub1.example.com. 3600 DS 62729 8 4 93D99D3C5C0C30ADDC8B1DF93E94DC9B5954E2BB0545126C97DF05CDB6DE25674F708EACEF253A4B195FB3255D731923
;; DNSSEC signatures
example.com. 3600 RRSIG NS 8 3 3600 20190904071119 20190821054119 62374 example.com. BBY1YVmfx6paRsypf4wKLDqGeN+DaNv7kFKJBo1VkddJVkg1w+PEl1Bf/Y4orfSUfl0GM83eC+GikzFTZTer/U7LsubVp/PUg8fnsINRgnAWheF1KoshWc09Dfod7oDDzcQYJZHQTaQ24avkUh9kqQ9g1eZTFDPcjqgIzPFBjr4=
example.com. 600 RRSIG NSEC 8 3 600 20190904071119 20190821054119 62374 example.com. h7sP6O86WQBNDt/ZhqNKcovWRwsoFr/G8W7/vkBqBcvJvIlw0XUrf/nuHShMJyCALoB5QgM8YtqL/5LrpDUahKuHq7nvb6FGqlPL7d3//Ms8Ue7eU9j8A+xszU457iwbzx5yq7dcWAES4iB53ZHD98m+veD+dTLdZck66kRAZ6E=
hna.example.com. 600 RRSIG NSEC 8 4 600 20190904071119 20190821054119 62374 example.com. LXLi/mGgkRmzpN6rwBs5Tp0z1FSG3AyC0X8goY7D/bGVBEwC8wlklTIibZM7PTLGQ9mA9R1Dph3tutvYO2PJVJUaIOPnwjzaEeHqec/P53u6UHYyG0k+AIKCpWTA/Cxna24bp+f+aq+EYAW+Cu6qHuJ8xK02a21MFhdi4FksJGk=
sub1.example.com. 3600 RRSIG DS 8 4 3600 20190904071119 20190821054119 62374 example.com. Wr/T6sNa05marGzNfMIDfxqDb5fI5Ni2KwyS4SeFiWrsxSzBEdSOI+bV2Rti5Qu2jgt67FPa8J5fh5mH/CVzfGmpLu5JSQw4wPRt6Gzk5I0B7webO0aGX86ujfvkpjKRxfQvgFk20EBtifYE8I2mo1mghBtW50bg2Qv+N0sbcXM=
sub1.example.com. 600 RRSIG NSEC 8 4 600 20190904071119 20190821054119 62374 example.com. d+oHQbhKvaSgDDY34mWVohUEtI/GBIVv1D60m7eKQocSjv6/CaGaJ3h+BROzh+eLWZ/kzuE3ph0ICS0ksXhCH286g/MtOJdbdZDKSUVm20VL2FT8niYBi3kaW/t6s7B7NlqKBlPjrfEig9V313Od62CKXVpDlPLCCYS+hoYFEZQ=
;; DNSSEC NSEC chain
sub1.example.com. 600 NSEC example.com. NS DS RRSIG NSEC
Request
I'd like dnssec-signzone to:
Read the DS RR from the fwd.example.com.db zone file and check syntax Check that the owner name of the DS RR is a proper subdomain of the parent zone file (sub1.example.com is a proper subdomain of example.com) Check that there's an NS RR present for the subdomain (NS RR present for sub1.example.com in example.com) so that we know the DS hasn't been included by accident, and that this DS really is associated with a delegation. Copy the DS RR into the fwd.example.com.db.signed output Create and append a RRSIG DS for the DS RR's and output in the fwd.example.com.db.signed output