> >>>>> "Mark" == Mark Andrews writes:
> >> There are *no* duplicates that I can find. (It would be nice if
> >> named would log what the conflict is)

> Mark> You are trying to load a DNSSEC zone (with a CNAME) on a
> Mark> DNSSECbis server.
> Yes, agreed. i said that :-)
> I would ask that maybe 9.2.x might be more clear about the reason for
> the failure to load.

Well the only thing missing was the name with the offending
data which is easily found by transfering the zone and running
named-checkzone on it.

dig sandelman.ca @ > tmp
named-checkzone sandelman.ca tmp

In general "CNAME and other data" error should be picked up on the
master. DNSSECbis is special as it relaxed the rules.

I suppose we could explictly check for RRSIG/NSEC in 9.2 issue a

> I would also ask that perhaps 9.3.x be tolerant of NXT/SIG being
> present. I really think this is important.

I double checked. It should load a DNSSEC zone. It won't generate
the proofs however.

> If we want DNSSEC to be incrementally deployable, then making it hard
> for people to upgrade to 9.3 is a bad idea. Making it confusing to
> some ISP why their 9.2 fails to load a zone suddendly is also bad.

Incremental deployment would require that proofs be generated and
validated for both DNSSEC and DNSSECbis. BIND 9.3 does not do this.

> - --
> ] Michael Richardson Xelerance Corporation, Ottawa, ON | firewalls
> [
> ] mcr @ xelerance.com Now doing IPsec training, see |net architec
> t[
> ] http://www.sandelman.ca/mcr/ www.xelerance.com/training/ |device drive
> r[
> ] panic("Just another Debian GNU/Linux using, kernel hacking, security guy");
> [
> Version: GnuPG v1.2.2 (GNU/Linux)
> Comment: Finger me for keys
> iQCVAwUBQf1HaYqHRg3pndX9AQHnCwP/S+WfTPGxbivY6tfWN0yej6lKBEwtsh/+
> hqz0gDk2djtELvIfIJhVCJcitXZSzptusyR/t9mlMlHQqcgDcN+uAoeXtVhC9ADY
> +cf3Yzod2sc=

Mark Andrews, ISC
1 Seymour St., Dundas Valley, NSW 2117, Australia
PHONE: +61 2 9871 4742 INTERNET: Mark_Andrews@isc.org