Early glue / out of zone data is incorrectly signed and expected. #277
Description
Affects ldns-signzone 1.8.4 and ldns-verify-zone 1.8.4.
Given the following input zone:
$ cat test-data/example.org.early-sorting-glue
earlier-sorting.org. 240 IN A 128.140.76.106
example.org. 240 IN SOA example.net. hostmaster.example.net. 1234567890 28800 7200 604800 240
example.org. 240 IN NS earlier-sorting.org.
example.org. 240 IN A 128.140.76.106
some.example.org. 240 IN A 1.1.1.1
Sign it and verify it:
$ ldns-signzone -v
zone signer version 1.8.4 (ldns version 1.8.4)
$ ldns-signzone -o example.org -b -f /tmp/ldns-with-o.out -e 20260101010101 -i 20240101010101 -n -t 0 test-data/example.org.early-sorting-glue test-data/Kexample.org.+008+51331
However, dnssec-verify doesn't like the zone:
$ dnssec-verify -x -o example.org. /tmp/ldns-with-o.out test-data/Kexample.org.+008+51331 test-data/Kexample.org.+008+28954
Loading zone 'example.org.' from file '/tmp/ldns-with-o.out'
Verifying the zone using the following algorithms:
- RSASHA256
Expected and found NSEC3 chains not equal
Break in NSEC3 chain at: 8UM1KJCJMOFVVMQ7CB0OP7JT39LG8R9J
Expected: E16C7B9E7CQGJJ1DOJART00MRFCEV447
Found: VRCJ1RGALBB9EH2II8A43FBEIB1UFQF6
DNSSEC completeness test failed (failure).
And if we look at the signed zone it is indeed a bit odd as it contains an RRSIG for the out of zone earlier-sorting.org and includes it in the NSEC3 chain of example.org.
This happens irrespective of whether or not -o is passed to ldns-signzone (and note that ldns-verify-zone does not have a corresponding -o option to use).