Note: This is a beta release of Red Hat Bugzilla 5.0. The data contained within is a snapshot of the live data so any changes you make will not be reflected in the production Bugzilla. Also email is disabled so feel free to test any aspect of the site that you want. File any problems you find or give feedback here.
Bug 230667 - -d option to dnssec-signzone does not work
Summary: -d option to dnssec-signzone does not work
Alias: None
Product: Red Hat Enterprise Linux 5
Classification: Red Hat
Component: bind
Version: 5.0
Hardware: All
OS: Linux
Target Milestone: ---
: ---
Assignee: Adam Tkac
QA Contact:
Depends On:
TreeView+ depends on / blocked
Reported: 2007-03-02 00:06 UTC by Sander Steffann
Modified: 2013-04-30 23:35 UTC (History)
1 user (show)

Fixed In Version: RHBA-2007-0744
Doc Type: Enhancement
Doc Text:
Clone Of:
Last Closed: 2007-11-07 17:27:58 UTC
Target Upstream Version:

Attachments (Terms of Use)

System ID Priority Status Summary Last Updated
Red Hat Product Errata RHBA-2007:0744 normal SHIPPED_LIVE bind bug fix update 2007-10-30 23:00:26 UTC

Description Sander Steffann 2007-03-02 00:06:09 UTC
Description of problem:
The -d option (specify different key directory) of dnssec-signzone does not
work. Using strace I see dnssec-signzone trying to open the keys in the current
cirectory, with and without the -d option.

Version-Release number of selected component (if applicable):
bind-9.3.3-5.el5 (although the software reports 9.3.3rc2)

How reproducible:
- Create a DNS zone file (
- Create a zone signing key:
  dnssec-keygen -a RSASHA1 -b 1024 -n ZONE
- Create a key signing key:
  dnssec-keygen -f KSK -a RSASHA1 -b 1280 -n ZONE
- Add the contents of the generated .key files to the zone file
- Move the key files (both .key and .private) to another directory
- Sign the zone:
  dnssec-signzone -d /other/dir/

Actual results:
This will fail with the error: "dnssec-signzone: warning: No keys specified or
found". Placing the .key and .private files in the same directory as the zone
file makes it work (with and without the -d option)

Expected results:
It should use the specified directory instead of the current directory.

Comment 1 Adam Tkac 2007-04-11 13:57:58 UTC
dnssec-signzone now really ignores -d option. Could you please test proposed fix
and tell me your impressions?

Regards, -A-

Comment 2 Sander Steffann 2007-04-11 14:05:34 UTC
I'm downloading the source RPM now, and I'll test it as soon as possible. I will
be out of the office tomorrow, but I hope to have it tested by friday.

Comment 3 Sander Steffann 2007-04-11 15:38:49 UTC
Fix confirmed. Works like a charm :)


Comment 4 Adam Tkac 2007-04-11 15:41:36 UTC
(In reply to comment #3)
Yeah, thanks for your very fast response. Fix could be avaliable in RHEL5 U1


Comment 6 RHEL Product and Program Management 2007-04-25 20:56:32 UTC
This request was evaluated by Red Hat Product Management for inclusion in a Red
Hat Enterprise Linux maintenance release.  Product Management has requested
further review of this request by Red Hat Engineering, for potential
inclusion in a Red Hat Enterprise Linux Update release for currently deployed
products.  This request is not yet committed for inclusion in an Update

Comment 9 Adam Tkac 2007-05-07 14:49:49 UTC
Upstream denied proposed patch because it breaks regression. -d option is now
used for keyset files for child zones, not for signing keys. It's absolutely
neccessary create new option. I've called it -D and proposed update is now
avaliable (

Regards, Adam

Comment 13 Sander Steffann 2007-05-29 14:40:56 UTC
Sorry for the late reply. I will look at this new version soon. I just read up
on the -d option in bind, and it is very useful the way it is now, so good
decision to add a new -D option :-)

Comment 14 Sander Steffann 2007-05-29 14:59:18 UTC
Can you make the RPM available again? The current link does not work anymore.

Comment 15 Adam Tkac 2007-05-29 16:12:01 UTC
(In reply to comment #14)
Yeah. You could visit and download
rhel5 version. I always doing cleanup after reporter verify fix :)

Regards, -A-

Comment 19 errata-xmlrpc 2007-11-07 17:27:58 UTC
An advisory has been issued which should help the problem
described in this bug report. This report is therefore being
closed with a resolution of ERRATA. For more information
on the solution and/or where to find the updated files,
please follow the link below. You may reopen this bug report
if the solution does not work for you.

Note You need to log in before you can comment on or make changes to this bug.