[knot-dns-users] Re: mod-onlinesign: extra DNSKEY causes double signatures

Nargh, I really need to get better at not sending messages early. Let me try again. Consider a zonefile with @ DNSKEY 257 3 13 ZAtZvaK2/uVw+LG2AA12Dt/ZZ+YN0IF3pFwjfBp8Jd2DXjVU0cdxfpkY StUdbFu24Js6T5uROHo8lSG9rhgduw== and configuration zone: - domain: example.com storage: /config/ file: example.com.zone module: mod-onlinesign This leads to: $ dig +noall +answer @localhost -p 5300 example.com DNSKEY +dnssec example.com. 3600 IN DNSKEY 257 3 13 ZAtZvaK2/uVw+LG2AA12Dt/ZZ+YN0IF3pFwjfBp8Jd2DXjVU0cdxfpkY StUdbFu24Js6T5uROHo8lSG9rhgduw== example.com. 3600 IN DNSKEY 257 3 13 zrNQ/wJ5nZk4ZIPXvbbDflMfk0WKtvhz1rnmVfunXJGPkD8gLGOHrF7A eUJlzcBuQfdt0YoEKnjvmA+BRhR4NA== example.com. 3600 IN RRSIG DNSKEY 13 2 3600 20250224225442 20250210212442 8901 example.com. 94sHqW2hVKW4ca4QS7Wd+/fODyGFKawfi8xRAk4+Ee5eusPKRhY8vBZ2 d6b2vmTpFLFj6DzHmR2YSbJ8RClfjQ== example.com. 3600 IN RRSIG DNSKEY 13 2 3600 20250224225442 20250210212442 8901 example.com. VJM+yxwjAqPpY/n36e2f7o2zRYfgH3CgXBp8bm92c6vqOUX31yGAB+Rh 64JSnlEsECEDnAwfnLFItrLi2YNdfA== So, there are two DNSKEYs (and that's correct; one is the explicit one from the zonefile, the other is from the onlinesign module), and two signatures. However, the signatures are both from the onlinesign module's DNSKEY. Why is that / is that a problem / does this need fixing? Last year, I also managed to trigger SERVFAIL by putting an RRSIG into an onlinesign'ed zonefile, but it appears I can't reproduce this anymore. Not sure what exactly I did back then. Best, Peter On 2/10/25 23:53, Peter Thomassen via knot-dns-users wrote: -- Like our community service? 💛 Please consider donating at https://desec.io/ deSEC e.V. Möckernstraße 74 10965 Berlin Germany Vorstandsvorsitz: Nils Wisiol Registergericht: AG Berlin (Charlottenburg) VR 37525