[DNSSEC] Resolver behavior with broken DS records

Marc Lampo marc.lampo at eurid.eu
Mon May 9 11:41:08 UTC 2011

So far - no SHA-2 records.  Only DS records with SHA-1.

I'll add DS records with SHA-2 and try again ...
So the "error" of the mismatched must be in the SHA-2 DS records ?
And *not* in the SHA-1's ?  Or in both ?

Kind regards,


-----Original Message-----
From: 'Stephane Bortzmeyer' [mailto:bortzmeyer at nic.fr] 
Sent: 09 May 2011 01:46 PM
To: Marc Lampo
Cc: bind-users at lists.isc.org
Subject: Re: [DNSSEC] Resolver behavior with broken DS records

On Mon, May 09, 2011 at 01:00:03PM +0200,
 Marc Lampo <marc.lampo at eurid.eu> wrote 
 a message of 47 lines which said:

>  1 correct DS record,
>  1 DS record, correct in everything but the algorithm

And one DS record hashed with SHA-1 and one hashed with SHA-2? This
was necessary to trigger the problem, because of RFC 4509, section 3
(SHA-1 records are ignored if SHA-2 ones are present).

More information about the bind-users mailing list