dnssec-signzone hangs on ECDSA

[thenob]

BIND 9.11.4-P2-RedHat-9.11.4-26.P2.el7_9.14

When signing a zone with a ECDSA dnssec-signzone hangs.
/usr/sbin/dnssec-signzone -N unixtime -k Kexample.com.+013+36340.key -o example.com example.com Kexample.com.+013+55624.key

The dsset-file is made correctly, but upon signing the zone the program hangs.

last lines of strace-output

clone(child_stack=0x7ff905ddeeb0, flags=CLONE_VM|CLONE_FS|CLONE_FILES|CLONE_SIGHAND|CLONE_THREAD|CLONE_SYSVSEM|CLONE_SETTLS|CLONE_PARENT_SETTID|CLONE_CHILD_CLEARTID, parent_tidptr=0x7ff905ddf9d0, tls=0x7ff905ddf700, child_tidptr=0x7ff905ddf9d0) = 2980
open("/proc/self/task/2980/comm", O_RDWR) = 5
write(5, "isc-worker0001", 14) = 14
close(5) = 0
write(2, "dnssec-signzone: ", 17) = 17
write(2, "no existing signatures for amels"..., 45) = 45
write(2, "dnssec-signzone: ", 17) = 17
write(2, "example.com/NSEC:\n", 19) = 19
write(2, "dnssec-signzone: ", 17) = 17
write(2, "\tsigning with dnskey example.co"..., 56) = 56
read(3, 0x7fff04db22e0, 32) = -1 EAGAIN (Hulpbron is tijdelijk onbeschikbaar)
select(4, [3], [], NULL, NULL <unfinished ...>) = ?


Upgrading to Bind-9.18 with the isc-bind copr-package fixed the problem.
Please update the maintained bind-version so everyone can sign with ECDSA-keys as this is coming to be the standard.

[TrevorH]

You would need to make this request to Red Hat for inclusion in RHEL 7 to get it actioned. CentOS 7 is a rebuild of RHEL 7 so whatever is broken in RHEL 7 is broken in CentOS 7. Only if it is fixed in RHEL 7 will it be fixed in CentOS 7.