[dns-operations] Online DNSSEC debugging tool now availalbe

Edward Lewis Ed.Lewis at neustar.biz
Fri Jul 16 17:19:18 UTC 2010

At 9:20 -0700 7/16/10, Duane Wessels wrote:

>At some point I was under the impression that the keytags were only 
>"hints" but
>RFC 4035 seems clear that they should match.  The Net::DNS library 
>comments and
>documentation mention that it doesn't require keytag to match. 
>something about
>collisions and/or "keyid bug in BIND"

Historically they are hints but not in the sense that it was okay for 
keyid 55799 to validate an RRSIG with keyid in the RDATA of 754.  The 
"hints" are in the sense that you have to sub-select the key from the 
(DNS)KEY RR set, the hint told you which one(s)* to try.

* - it is possible that two differnt keys have the same keyid.  BIND 
elected long ago to not finish the generation of a key if it's keyid 
would conflict with another key "it could see."
Edward Lewis
NeuStar                    You can leave a voice message at +1-571-434-5468

Spouses, like Internet protocols, lack necessary troubleshooting tools. Sigh.

More information about the dns-operations mailing list