[dns-operations] [DNSSEC] Resolver behavior with broken DS records
Stephane Bortzmeyer
bortzmeyer at nic.fr
Fri May 6 10:31:43 UTC 2011
On Fri, May 06, 2011 at 10:57:20AM +0100,
George Barwood <george.barwood at blueyonder.co.uk> wrote
a message of 32 lines which said:
> I think resolvers are free to do any of the following:
Be careful, "my" case is more specific, it is when the DS and the
corresponding DNSKEY disagree (different algorithms) because of an
error in DS provisioning.
Otherwise (when, for instance, a DS points to nothing or when the
algorithm is unknown by the resolver), both BIND and Unbound have the
policy "any DS which works => AD".
In the case of a broken (not dangling or unknown, broken) DS, both
BIND and Unbound servfail, even if there is another DS, a correct one.
More information about the dns-operations
mailing list