From bc703a12e7adf83ac0cef3624fc846eb2c843dbb Mon Sep 17 00:00:00 2001 From: Matthijs Mekking Date: Tue, 11 Oct 2022 11:21:35 +0200 Subject: [PATCH] Remove checks when going to dnssec-policy none The changes in the code have the side effect that the CDNSKEY and CDS records in the secure version of the zone are not reusable and thus are thrashed from the zone. Remove the apex checks for this use case. We only care about that the zone is not immediately goes bogus, but a user really should use the built-in "insecure" policy when unsigning a zone. --- bin/tests/system/kasp/tests.sh | 2 -- 1 file changed, 2 deletions(-) diff --git a/bin/tests/system/kasp/tests.sh b/bin/tests/system/kasp/tests.sh index cfe45fbf29..ab65dff3ad 100644 --- a/bin/tests/system/kasp/tests.sh +++ b/bin/tests/system/kasp/tests.sh @@ -4033,8 +4033,6 @@ key_clear "KEY4" # Various signing policy checks. check_keys check_dnssecstatus "$SERVER" "$POLICY" "$ZONE" -check_apex -check_subdomain dnssec_verify #