mirror of
https://github.com/isc-projects/bind9.git
synced 2026-06-13 19:19:59 -04:00
13 lines
730 B
Text
13 lines
730 B
Text
dnssec-signzone was designed so that it could sign a zone partially, using
|
|
only a subset of the DNSSEC keys needed to produce a fully-signed zone.
|
|
This permits a zone administrator, for example, to sign a zone with one
|
|
key on one machine, move the resulting partially-signed zone to a second
|
|
machine, and sign it again with a second key.
|
|
|
|
An unfortunate side-effect of this flexibility is that dnssec-signzone
|
|
does not check to make sure it's signing a zone with any valid keys at
|
|
all; an attempt to sign a zone with no keys may appear to have succeeded.
|
|
|
|
This will be corrected in the next release. In the meantime, ISC
|
|
recommends examining the output of dnssec-signzone to confirm that
|
|
the zone is properly signed by all keys.
|