[dns-operations] [DNSSEC] Resolver behavior with broken DS records

Mark Andrews marka at isc.org
Fri May 6 15:40:32 UTC 2011

In message <20110506081854.GA13147 at nic.fr>, Stephane Bortzmeyer writes:
> In an (involuntary) experiment under .FR, I discovered that the rule
> "at least one DS must match for a child zone to be authenticated" is
> wrong if a broken DS is present. In our case, the field Algorithm in
> the DS did not match the one in the DNSKEY. While there was another
> correct DS for the child zone, both BIND and Unbound servfailed. So,
> the incorrect DS made the child zone bogus.
> Is it normal and expected behavior or a bug common to these two name
> servers?

Depends on the DS records.  If SHA256 DS records exist then SHA1 DS
records are supposed to be ignored.  If the broken record was SHA256
and the rest SHA1 you would get this behaviour.

Mark Andrews, ISC
1 Seymour St., Dundas Valley, NSW 2117, Australia
PHONE: +61 2 9871 4742                 INTERNET: marka at isc.org

More information about the dns-operations mailing list