problems with CDS / CDNSKEY consistency checks
I have a test zone with alg. 8 and alg. 13 keys.
I disabled the algorithm 8 ksk:
dnssec-settime -D now -I now Kfanf2.ucam.org.+008+25474.key
I forgot to delete the CDS record and forgot the ZSK.
namedaccepted this change - the integrity checks did not work
named was restarted. It refused to load the zone because the consistency checks failed.
I tried to inspect the zone using
named-compilezone because it is in "raw" format. This also failed because of the consistency checks.
named-compilezonedoes not have an option to disable the CDS consistency checks
namedalso does not have an option to disable the CDS consistency checks
Consequence: I was not able to fix the zone without editing BIND's source code to disable the consistency checks.