[DNSSEC] BIND validates but not Unbound: who is right?
Mark Andrews
marka at isc.org
Mon Feb 16 21:45:51 UTC 2015
In message <20150216212821.GA27521 at nic.fr>, Stephane Bortzmeyer writes:
> On Tue, Feb 17, 2015 at 07:34:37AM +1100,
> Mark Andrews <marka at isc.org> wrote
> a message of 171 lines which said:
>
> > The validator is *not* supposed to *check* if the zone has been
> > signed with all the alogorithms in the DS RRset. It is supposed to
> > keep trying all RRSIG/DS/DNSKEY combinations until it succeeds.
>
> For the record, the relevant RFC seems to be RFC 6840, section 5.11,
> "A signed zone MUST include a DNSKEY for each algorithm present in the
> zone's DS RRset and expected trust anchors for the zone. The zone
> MUST also be signed with each algorithm (though not each key) present
> in the DNSKEY RRset."
That is a instruction to the signer. It is NOT a instuction to the
validator to check.
> It seems that the zone violated the first requirment (there was an
> alg. 8 in the DS RRset but not in the DNSKEY RRset) but not the second
> (there was only alg. 5 in the DNSKEY RRset).
>
>
--
Mark Andrews, ISC
1 Seymour St., Dundas Valley, NSW 2117, Australia
PHONE: +61 2 9871 4742 INTERNET: marka at isc.org
More information about the bind-users
mailing list