[dns-operations] [DNSSEC] Resolver behavior with broken DS records

Stephane Bortzmeyer bortzmeyer at nic.fr
Fri May 6 08:18:54 UTC 2011


In an (involuntary) experiment under .FR, I discovered that the rule
"at least one DS must match for a child zone to be authenticated" is
wrong if a broken DS is present. In our case, the field Algorithm in
the DS did not match the one in the DNSKEY. While there was another
correct DS for the child zone, both BIND and Unbound servfailed. So,
the incorrect DS made the child zone bogus.

Is it normal and expected behavior or a bug common to these two name
servers?



More information about the dns-operations mailing list