From 158df73ed064e155ac5dff267fa9466e87e0af64 Mon Sep 17 00:00:00 2001 From: Philip Homburg Date: Wed, 4 Mar 2026 14:45:30 +0100 Subject: [PATCH 1/3] Remove ZONEMD records from the input zone. --- src/commands/signzone.rs | 8 ++++++++ 1 file changed, 8 insertions(+) diff --git a/src/commands/signzone.rs b/src/commands/signzone.rs index 7a41e20..efd67da 100644 --- a/src/commands/signzone.rs +++ b/src/commands/signzone.rs @@ -1464,7 +1464,15 @@ impl SignZone { // release a fixed version of ldns-signzone that strips // NSEC(3)s. // + // Remove ZONEMD records at apex as well. We don't always + // know the origin at this point. Just strip all ZONEMD + // records as they are currently only defined for + // use at the apex. + // // TODO: Support partial and re-signing. + if matches!(record.rtype(), Rtype::ZONEMD) { + continue; + } if !matches!( record.rtype(), Rtype::RRSIG | Rtype::NSEC | Rtype::NSEC3 | Rtype::NSEC3PARAM From 7f195e82544f88cf64c7b3fd70f84a303e5e568c Mon Sep 17 00:00:00 2001 From: Philip Homburg Date: Thu, 5 Mar 2026 15:15:49 +0100 Subject: [PATCH 2/3] Strip ZONEMD at apex if we know origin, otherwise strip all ZONEMD records. --- src/commands/signzone.rs | 15 ++++++++++++--- 1 file changed, 12 insertions(+), 3 deletions(-) diff --git a/src/commands/signzone.rs b/src/commands/signzone.rs index efd67da..6d245cc 100644 --- a/src/commands/signzone.rs +++ b/src/commands/signzone.rs @@ -1466,12 +1466,21 @@ impl SignZone { // // Remove ZONEMD records at apex as well. We don't always // know the origin at this point. Just strip all ZONEMD - // records as they are currently only defined for - // use at the apex. + // records if we don't, strip ZONEMD records at apex + // if we do know the origin. // // TODO: Support partial and re-signing. if matches!(record.rtype(), Rtype::ZONEMD) { - continue; + if let Some(origin) = &self.origin { + if *record.owner() == origin { + // ZONEMD record at origin, skip. + continue; + } + // Keep ZONEMD records that are not at origin. + } else { + // Origin is not known, skip all ZONEMD records. + continue; + } } if !matches!( record.rtype(), From 3b7436af1bb25bd451228eb7911d77d5460ba4d8 Mon Sep 17 00:00:00 2001 From: Philip-NLnetLabs Date: Fri, 6 Mar 2026 14:58:19 +0100 Subject: [PATCH 3/3] Update src/commands/signzone.rs Co-authored-by: Jannik Peters --- src/commands/signzone.rs | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/src/commands/signzone.rs b/src/commands/signzone.rs index 6d245cc..1e00af9 100644 --- a/src/commands/signzone.rs +++ b/src/commands/signzone.rs @@ -1464,12 +1464,12 @@ impl SignZone { // release a fixed version of ldns-signzone that strips // NSEC(3)s. // + // TODO: Support partial and re-signing. + // // Remove ZONEMD records at apex as well. We don't always // know the origin at this point. Just strip all ZONEMD // records if we don't, strip ZONEMD records at apex // if we do know the origin. - // - // TODO: Support partial and re-signing. if matches!(record.rtype(), Rtype::ZONEMD) { if let Some(origin) = &self.origin { if *record.owner() == origin {