RRSIG is occluded by a delegation

reissmann commented 5 years ago

Short description

I run a pdns master with bind backend and multiple slaves with mysql-backend. DNSSEC signing is done on the master. When adding a zone delegation (in my case _acme.domain.tld, which is a dynamic zone for letsencrypt), my parent zone looks like this:

_acme.domain.tld  3600     IN      NS      ns1.domain.tld.
_acme.domain.tld  3600     IN      NS      ns2.domain.tld.
_acme.domain.tld  43200   IN      RRSIG   NSEC 8 3 43200 20190321000000 .....

When checking the zone using pdnsutil check-zone, the following warning is displayed:

[Warning] '_acme.domain.tld|RRSIG' in zone 'domain.tld' is occluded by a delegation at '_acme.domain.tld'

Environment

Software version: pdns-server 4.1.6
Operating system: Debian 9.8
Software source: PowerDNS repository

Steps to reproduce

Create a signed slave zone
Have a delegation in that zone
Run pdnsutil check-zone

Expected behaviour

No warning should be displayed, as the signed slave zone will always have the RRSIG record, like it has NS or DS records.

Actual behaviour

[Warning] '_acme.domain.tld|RRSIG' in zone 'domain.tld' is occluded by a delegation at '_acme.domain.tld'

Other information

As far as I can tell, this is just a cosmetic problem that does not affect the function in any way.

Habbie commented 5 years ago

As far as I can tell, this is just a cosmetic problem that does not affect the function in any way.

That is correct!

jsoref commented 1 year ago

I'm tripping on this, and it's scary, I might try to do something about it. My theoretical upgrade process involves running check-zones to ensure I haven't screwed up...

Fwiw, #8716 also mentions this warning.

PowerDNS / pdns