[DNSSEC] BIND validates but not Unbound: who is right?

Mark Andrews marka at isc.org
Mon Feb 16 21:45:51 UTC 2015


In message <20150216212821.GA27521 at nic.fr>, Stephane Bortzmeyer writes:
> On Tue, Feb 17, 2015 at 07:34:37AM +1100,
>  Mark Andrews <marka at isc.org> wrote 
>  a message of 171 lines which said:
> 
> > The validator is *not* supposed to *check* if the zone has been
> > signed with all the alogorithms in the DS RRset.  It is supposed to
> > keep trying all RRSIG/DS/DNSKEY combinations until it succeeds.
> 
> For the record, the relevant RFC seems to be RFC 6840, section 5.11,
> "A signed zone MUST include a DNSKEY for each algorithm present in the
> zone's DS RRset and expected trust anchors for the zone.  The zone
> MUST also be signed with each algorithm (though not each key) present
> in the DNSKEY RRset."

That is a instruction to the signer.  It is NOT a instuction to the
validator to check.
 
> It seems that the zone violated the first requirment (there was an
> alg. 8 in the DS RRset but not in the DNSKEY RRset) but not the second
> (there was only alg. 5 in the DNSKEY RRset).
> 
> 
-- 
Mark Andrews, ISC
1 Seymour St., Dundas Valley, NSW 2117, Australia
PHONE: +61 2 9871 4742                 INTERNET: marka at isc.org


More information about the bind-users mailing list