[dns-operations] [DNSSEC] Resolver behavior with broken DS records

Mathieu Arnold mat at mat.cc
Sat May 7 20:11:20 UTC 2011

+--On 7 mai 2011 01:40:32 +1000 Mark Andrews <marka at isc.org> wrote:
| In message <20110506081854.GA13147 at nic.fr>, Stephane Bortzmeyer writes:
|> In an (involuntary) experiment under .FR, I discovered that the rule
|> "at least one DS must match for a child zone to be authenticated" is
|> wrong if a broken DS is present. In our case, the field Algorithm in
|> the DS did not match the one in the DNSKEY. While there was another
|> correct DS for the child zone, both BIND and Unbound servfailed. So,
|> the incorrect DS made the child zone bogus.
|> Is it normal and expected behavior or a bug common to these two name
|> servers?
| Depends on the DS records.  If SHA256 DS records exist then SHA1 DS
| records are supposed to be ignored.  If the broken record was SHA256
| and the rest SHA1 you would get this behaviour.

Hum, I think that was the case, I had the right SHA1 DS and I added the
SHA256 DS with a wrong algorithm, RSA/MD5 instead of RSASHA1-NSEC3-SHA1.

Mathieu Arnold

More information about the dns-operations mailing list