[dns-operations] [DNSSEC] Resolver behavior with broken DS records

Stephane Bortzmeyer bortzmeyer at nic.fr
Fri May 6 10:31:43 UTC 2011

On Fri, May 06, 2011 at 10:57:20AM +0100,
 George Barwood <george.barwood at blueyonder.co.uk> wrote 
 a message of 32 lines which said:

> I think resolvers are free to do any of the following:

Be careful, "my" case is more specific, it is when the DS and the
corresponding DNSKEY disagree (different algorithms) because of an
error in DS provisioning.

Otherwise (when, for instance, a DS points to nothing or when the
algorithm is unknown by the resolver), both BIND and Unbound have the
policy "any DS which works => AD".

In the case of a broken (not dangling or unknown, broken) DS, both
BIND and Unbound servfail, even if there is another DS, a correct one.

More information about the dns-operations mailing list