[knot-dns-users] Re: mod-onlinesign: extra DNSKEY causes double signatures

Nargh, I really need to get better at not sending messages early. Let me try again. Consider a zonefile with @    DNSKEY    257 3 13 ZAtZvaK2/uVw+LG2AA12Dt/ZZ+YN0IF3pFwjfBp8Jd2DXjVU0cdxfpkY StUdbFu24Js6T5uROHo8lSG9rhgduw== and configuration zone:   - domain: example.com     storage: /config/     file: example.com.zone     module: mod-onlinesign This leads to: $ dig +noall +answer @localhost -p 5300 example.com DNSKEY +dnssec example.com.        3600    IN    DNSKEY    257 3 13 ZAtZvaK2/uVw+LG2AA12Dt/ZZ+YN0IF3pFwjfBp8Jd2DXjVU0cdxfpkY StUdbFu24Js6T5uROHo8lSG9rhgduw== example.com.        3600    IN    DNSKEY    257 3 13 zrNQ/wJ5nZk4ZIPXvbbDflMfk0WKtvhz1rnmVfunXJGPkD8gLGOHrF7A eUJlzcBuQfdt0YoEKnjvmA+BRhR4NA== example.com.        3600    IN    RRSIG    DNSKEY 13 2 3600 20250224225442 20250210212442 8901 example.com. 94sHqW2hVKW4ca4QS7Wd+/fODyGFKawfi8xRAk4+Ee5eusPKRhY8vBZ2 d6b2vmTpFLFj6DzHmR2YSbJ8RClfjQ== example.com.        3600    IN    RRSIG    DNSKEY 13 2 3600 20250224225442 20250210212442 8901 example.com. VJM+yxwjAqPpY/n36e2f7o2zRYfgH3CgXBp8bm92c6vqOUX31yGAB+Rh 64JSnlEsECEDnAwfnLFItrLi2YNdfA== So, there are two DNSKEYs (and that's correct; one is the explicit one from the zonefile, the other is from the onlinesign module), and two signatures. However, the signatures are both from the onlinesign module's DNSKEY. Why is that / is that a problem / does this need fixing? Last year, I also managed to trigger SERVFAIL by putting an RRSIG into an onlinesign'ed zonefile, but it appears I can't reproduce this anymore. Not sure what exactly I did back then. Best, Peter On 2/10/25 23:53, Peter Thomassen via knot-dns-users wrote: