[GH-ISSUE #2358] Accept RRSIG records in zone file #973

New issue

Open

opened 2026-03-16 01:08:17 +03:00 by kerem · 1 comment

kerem commented

2026-03-16 01:08:17 +03:00

Owner

Originally created by @git001 on GitHub (Aug 14, 2024).
Original GitHub issue: https://github.com/hickory-dns/hickory-dns/issues/2358

Describe the bug

I try to run my own resolver with the available https://www.internic.net/domain/root.zone file.
When I now run the following command.

/datadisk/git-repos/hickory-dns $ ./target/release/hickory-dns \
  --config /datadisk/hickory-dns-root/etc/example.toml --debug

with this config file

listen_addrs_ipv6 = ["::0"]
listen_port = 2053
directory = "/datadisk/hickory-dns-root/zones"
[[zones]]
zone = "."
zone_type = "Primary"
stores = { type = "recursor", roots = "root.zone", ns_cache_size = 1024, record_cache_size = 1048576 }

Responses the server with this message and do not start.

Error: could not load zone .: failed to read roots root.zone: failed to parse the zone file: RRSIG should be dynamically generated

The message is created in this file.

github.com/hickory-dns/hickory-dns@1f477b70b1/crates/proto/src/serialize/txt/parse_rdata.rs (L114-L115)

From my understanding is it perfectly valid to have a RRSIG entry in the zone file why I assume that's a bug or just not yet handled.

To Reproduce
Steps to reproduce the behavior:

git clone https://github.com/hickory-dns/hickory-dns.git
cd 'hickory-dns'
cargo build --release --features recursor,dnssec,dnssec-ring -p hickory-dns
mkdir /datadisk/hickory-dns-root
mkdir /datadisk/hickory-dns-root/etc
mkdir /datadisk/hickory-dns-root/zones
curl -vLo /datadisk/hickory-dns-root/zones/root.zone https://www.internic.net/domain/root.zone

Create config /datadisk/hickory-dns-root/etc/example.toml

listen_addrs_ipv6 = ["::0"]
listen_port = 2053
directory = "/datadisk/hickory-dns-root/zones"
[[zones]]
zone = "."
zone_type = "Primary"
stores = { type = "recursor", roots = "root.zone", ns_cache_size = 1024, record_cache_size = 1048576 }

Run the server

/datadisk/git-repos/hickory-dns $ ./target/release/hickory-dns \
  --config /datadisk/hickory-dns-root/etc/example.toml --debug

Expected behavior
I would expect that the downloaded https://www.internic.net/domain/root.zone is loaded into hickory-dns and the servers are used to resolve the names

System:

OS: Linux
Architecture: x86_64
Version: Hickory DNS named server 0.25.0-alpha.2
rustc version: rustc 1.80.1 (3f5fd8dd4 2024-08-06)

Version:
Crate: Hickory DNS named server 0.25.0-alpha.2
Version: 0.25.0-alpha.2

Additional context
Add any other context about the problem here.

Originally created by @git001 on GitHub (Aug 14, 2024). Original GitHub issue: https://github.com/hickory-dns/hickory-dns/issues/2358 **Describe the bug** I try to run my own resolver with the available https://www.internic.net/domain/root.zone file. When I now run the following command. ```shell /datadisk/git-repos/hickory-dns $ ./target/release/hickory-dns \ --config /datadisk/hickory-dns-root/etc/example.toml --debug ``` with this config file ```toml listen_addrs_ipv6 = ["::0"] listen_port = 2053 directory = "/datadisk/hickory-dns-root/zones" [[zones]] zone = "." zone_type = "Primary" stores = { type = "recursor", roots = "root.zone", ns_cache_size = 1024, record_cache_size = 1048576 } ``` Responses the server with this message and do not start. ``` Error: could not load zone .: failed to read roots root.zone: failed to parse the zone file: RRSIG should be dynamically generated ``` The message is created in this file. https://github.com/hickory-dns/hickory-dns/blob/1f477b70b12c12bd0b6e972e0f9ec03b5395e7e3/crates/proto/src/serialize/txt/parse_rdata.rs#L114-L115 From my understanding is it perfectly valid to have a `RRSIG` entry in the zone file why I assume that's a bug or just not yet handled. **To Reproduce** Steps to reproduce the behavior: ``` git clone https://github.com/hickory-dns/hickory-dns.git cd 'hickory-dns' cargo build --release --features recursor,dnssec,dnssec-ring -p hickory-dns mkdir /datadisk/hickory-dns-root mkdir /datadisk/hickory-dns-root/etc mkdir /datadisk/hickory-dns-root/zones curl -vLo /datadisk/hickory-dns-root/zones/root.zone https://www.internic.net/domain/root.zone ``` Create config `/datadisk/hickory-dns-root/etc/example.toml` ```toml listen_addrs_ipv6 = ["::0"] listen_port = 2053 directory = "/datadisk/hickory-dns-root/zones" [[zones]] zone = "." zone_type = "Primary" stores = { type = "recursor", roots = "root.zone", ns_cache_size = 1024, record_cache_size = 1048576 } ``` Run the server ```shell /datadisk/git-repos/hickory-dns $ ./target/release/hickory-dns \ --config /datadisk/hickory-dns-root/etc/example.toml --debug ``` **Expected behavior** I would expect that the downloaded https://www.internic.net/domain/root.zone is loaded into hickory-dns and the servers are used to resolve the names **System:** - OS: Linux - Architecture: x86_64 - Version: Hickory DNS named server 0.25.0-alpha.2 - rustc version: rustc 1.80.1 (3f5fd8dd4 2024-08-06) **Version:** Crate: Hickory DNS named server 0.25.0-alpha.2 Version: 0.25.0-alpha.2 **Additional context** Add any other context about the problem here.

kerem added the

enhance

compliance

labels

2026-03-16 01:08:17 +03:00

kerem commented

2026-03-16 01:08:28 +03:00

Author

Owner

@bluejekyll commented on GitHub (Mar 2, 2025):

When I designed my goal was to make signing simpler, which is why Hickory signs all records and doesn't host RRSIG. We should definitely revisit this and get it supported.

@bluejekyll commented on GitHub (Mar 2, 2025): When I designed my goal was to make signing simpler, which is why Hickory signs all records and doesn't host RRSIG. We should definitely revisit this and get it supported.

kerem referenced this issue

2026-03-16 02:27:47 +03:00

[PR #973] [MERGED] add examples to test case in Resolver #1827