[DNSSEC] BIND validates but not Unbound: who is right?

Mukund Sivaraman muks at isc.org
Mon Feb 16 18:20:57 UTC 2015


On Mon, Feb 16, 2015 at 05:34:53PM +0100, Stephane Bortzmeyer wrote:
> ;; ANSWER SECTION:
> cepn.asso.fr.		171998 IN DS 36778 5 2 (
> 				D21FC827CF4621DF88D06A8F6EA5F4B4DE72A362AB2E
> 				03D440C315A9D8FE1407 )
> cepn.asso.fr.		171998 IN DS 13585 8 2 (
> 				AB057D7A9BBDB721EBD33FC64F3C6CC53D9020D12F18
> 				BCEFC696494C9F9D6111 )

It's still not clear whether one should be preferred over the other in
the case:

1. DS RR algorithm=RSASHA1, digest=SHA-1
2. DS RR algorithm=RSASHA256, digest=SHA-256

But in the case of the DS RRs of cepn.assoc.fr. above, both are SHA-256
digests. So there's an authentication chain through alg=5 digest=2.

		Mukund
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 801 bytes
Desc: not available
URL: <https://lists.isc.org/pipermail/bind-users/attachments/20150216/d219277d/attachment.bin>


More information about the bind-users mailing list