dnssec-signzone was not removing unnecessary rrsigs from zone

[stirnim]

dnssec-signzone from BIND 9.10.3-P4 or BIND 9.9.8-P4 and earlier have a bug which does not remove unnecessary rrsigs from zone. It is fixed for upcoming releases:

1. [bug] dnssec-signzone was not removing unnecessary rrsigs from the zone's apex. [RT #41483]

Specifically, it was fixed on the 28th Jan 2016: https://source.isc.org/cgi-bin/gitweb.cgi?p=bind9.git;a=commit;h=832ab79d1f8bc4edf638780b306888da30ac3a1e

validns will detect these signatures. e.g.:

validns 8.example.com.signed 8.example.com.signed:47: 8.example.com. RRSIG exists for non-existing type A

Note that both ldns-verify-zone or dnssec-verify ignore these rrsigs:

ldns-verify-zone 8.example.com.signed Checking: 8.example.com. Checking: www.8.example.com. Zone is verified and complete

dnssec-verify -x -o 8.example.com. 8.example.com.signed Loading zone '8.example.com.' from file '8.example.com.signed' Verifying the zone using the following algorithms: RSASHA256. Zone fully signed: Algorithm: RSASHA256: KSKs: 1 active, 0 stand-by, 0 revoked ZSKs: 0 active, 0 present, 0 revoked

Instead of permanently ignore unnecessary rrsigs I think a policy check for this explicit case is appropriate.