Re: Difference in validating behavior 9.18 / 9.20

If you want to test behaviour with expired records you are going to need to use dnssec-signzone. The tests that ship with BIND use dnssec-signzone to build zones with out of date signatures. As for dnssec-policy it is not designed to produce broken zones. Mark > On 11 Feb 2025, at 10:18, John

Re: Difference in validating behavior 9.18 / 9.20

Trying to kick this football, I delegated a zone (z.ak.gov) to one of my test servers, by adding a record to ak.gov z.ak.gov. IN NS ns88.state.ak.us And on the ns88 server, I created a zone file with an SOA, NS, A, and a TXT record. I defined it with a basic zone-statement: zone "z.ak.gov" {

Re: Difference in validating behavior 9.18 / 9.20

Comparing the ARM for 9.18 and 9.20, I see the same text in both regarding time, RRSIG, and validity In DNSSEC, every record comes with at least one RRSIG, and each RRSIG contains two timestamps: one indica

Re: Difference in validating behavior 9.18 / 9.20

Hi John, About the release note you mention with the [GL #4586], this indicates the Gitlab issue that was fixed and resulted in this release note. Here it is: https://gitlab.isc.org/isc-projects/bind9/-/issues/4586 The fix for 9.18 would have been implemented here: https://gitlab.isc.org/isc-proje

Difference in validating behavior 9.18 / 9.20

We run both 9.18 and 9.20. We currently have servers running: 9.18.31 9.18.33 9.20.3 9.20.5 The 9.18 and 9.20 validating resolvers behave differently when exposed to expired RRSIG records. Both versions log errors of the type validating transfer3.rastglb.cdc.gov/A: verify failed