[DNSSEC] Resolver behavior with broken DS records

'Stephane Bortzmeyer' bortzmeyer at nic.fr
Mon May 9 11:51:31 UTC 2011


On Mon, May 09, 2011 at 01:41:08PM +0200,
 Marc Lampo <marc.lampo at eurid.eu> wrote 
 a message of 28 lines which said:

> So the "error" of the mismatched must be in the SHA-2 DS records ?

Yes.

> And *not* in the SHA-1's ?  Or in both ?

RFC 4509 section 3 gives a strong priority to SHA-2. So, there is no
symmetry: the problem exists only if the invalid DS is the one hashed
with SHA-2.



More information about the bind-users mailing list