I just found quite serious bug in dnssec-signzone :-(.

dnssec-signzone quietly drops DS records when -g switch is used
(generate DS records).

Commands used:

Without -g:
# dnssec-signzone -v 255 -s 20080901000000 -e 20080930235900 -k
Kcz.+005+36397.key -o cz -f cz.signed.plain cz.example
Kcz.+005+16902.key 2>dnssec-signzone.log.plain

With -g:
dnssec-signzone -g -v 255 -s 20080901000000 -e 20080930235900 -k
Kcz.+005+36397.key -o cz -f cz.signed.gends cz.example
Kcz.+005+16902.key 2>dnssec-signzone.log.gends

Attached files:
- cz.example (stripped down .cz zone)
- cz.signed.*
- dnssec-signzone.log.*
- cz.signed.diff (diff of cz.signed.plain and cz.signed.gends)
- dnssec-signzone.log.diff (diff of dnssec-signzone.log.plain and

Notice that dnssec-signzone.log.gends doesn't even mention DS record
of dnssec.cz,
looks like there is some IF DS THEN SKIP code when -g is used.

Ondřej Surý
technický ředitel/Chief Technical Officer
CZ.NIC, z.s.p.o. -- .cz domain registry
Americká 23,120 00 Praha 2,Czech Republic
mailtondrej.sury@nic.cz http://nic.cz/
sipndrej.sury@nic.cz tel:+420.222745110
mob:+420.739013699 fax:+420.222745112