[dns-operations] [DNSSEC] Resolver behavior with broken DS records
Mark Andrews
marka at isc.org
Fri May 6 15:40:32 UTC 2011
In message <20110506081854.GA13147 at nic.fr>, Stephane Bortzmeyer writes:
> In an (involuntary) experiment under .FR, I discovered that the rule
> "at least one DS must match for a child zone to be authenticated" is
> wrong if a broken DS is present. In our case, the field Algorithm in
> the DS did not match the one in the DNSKEY. While there was another
> correct DS for the child zone, both BIND and Unbound servfailed. So,
> the incorrect DS made the child zone bogus.
>
> Is it normal and expected behavior or a bug common to these two name
> servers?
Depends on the DS records. If SHA256 DS records exist then SHA1 DS
records are supposed to be ignored. If the broken record was SHA256
and the rest SHA1 you would get this behaviour.
Mark
--
Mark Andrews, ISC
1 Seymour St., Dundas Valley, NSW 2117, Australia
PHONE: +61 2 9871 4742 INTERNET: marka at isc.org
More information about the dns-operations
mailing list