[DNSSEC] Resolver behavior with broken DS records

Tony Finch dot at dotat.at
Mon May 9 14:08:00 UTC 2011

Marc Lampo <marc.lampo at eurid.eu> wrote:

> Sorry, I still cannot confirm the problem with Bind 9.7.3-P2 version ...
> 4 DS's in total,
> for each KSK 1 DS with SHA-1, one with SHA-2
> for one KSK, the algorithm used was changed from 5 to 8.

As I understand it the problem that Stephane reported occurred when the
single SHA-2 DS was broken but the single SHA-1 DS was correct but
disregarded by the validator. There is no fallback from SHA-2 DS to SHA-1
(RFC 4509 section 3) so if all SHA-2 DS records are broken the whole
domain is broken.

f.anthony.n.finch  <dot at dotat.at>  http://dotat.at/
Rockall, Malin, Hebrides: South 5 to 7, occasionally gale 8 at first in
Rockall and Malin, veering west or northwest 4 or 5, then backing southwest 5
or 6 later. Rough or very rough. Occasional rain. Moderate or good,
occasionally poor.

More information about the bind-users mailing list