Via Daniel Stirnimann:
$TTL 1d
$INCLUDE Kexample.com.+008+18169.key
$INCLUDE Kexample.com.+008+57699.key
@ IN SOA ns.example.com. hostmaster.example.com. (
1 ; Serial
604800 ; Refresh
86400 ; Retry
2419200 ; Expire
604800 ) ; Negative Cache TTL
IN NS ns1.example.net.
sub IN NS ns1.example.net.
test.sub IN A 127.0.0.1
The error is that there exists the "test.sub" record but "sub" is
already delegated.
BIND "dnssec-signzone" ignores "test.sub" and does not create
RRSIG/NSEC/NSEC3 records.
When I verify the signed zone (using NSEC) with validns, no error is shown.
When I verify the signed zone (using NSEC3) with validns, the error:
"no corresponding NSEC3 found for test.sub.example.com." is shown which
is correct.
I'm not sure what's the right way of handling this error is. In any
case, I think the error message should be the same whether NSEC or NSEC3
is used. Practically, I could live with a WARNING and not an ERROR
because, as far as BIND dnssec-signzone goes, the additional record of
the delegated zone is not signed, so does not lead to a signing error.
However, I'm not sure if other DNSSEC signing tools handle this the same
way.