[dns-operations] Online DNSSEC debugging tool now availalbe
Edward Lewis
Ed.Lewis at neustar.biz
Fri Jul 16 17:19:18 UTC 2010
At 9:20 -0700 7/16/10, Duane Wessels wrote:
>At some point I was under the impression that the keytags were only
>"hints" but
>RFC 4035 seems clear that they should match. The Net::DNS library
>comments and
>documentation mention that it doesn't require keytag to match.
>something about
>collisions and/or "keyid bug in BIND"
Historically they are hints but not in the sense that it was okay for
keyid 55799 to validate an RRSIG with keyid in the RDATA of 754. The
"hints" are in the sense that you have to sub-select the key from the
(DNS)KEY RR set, the hint told you which one(s)* to try.
* - it is possible that two differnt keys have the same keyid. BIND
elected long ago to not finish the generation of a key if it's keyid
would conflict with another key "it could see."
--
-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-
Edward Lewis
NeuStar You can leave a voice message at +1-571-434-5468
Spouses, like Internet protocols, lack necessary troubleshooting tools. Sigh.
More information about the dns-operations
mailing list