[dns-operations] Double-signature validation "And" or "OR" ?

Davey Song(宋林健) ljsong at biigroup.cn
Thu Jun 1 02:39:14 UTC 2017

Hi folks, 


I encounter a question on how DNSSEC validating resolver work if it receive
double-signature. Does it require the resolver to validate both signatures
or only one signature if that one is validated? 


I guess the relation of the two signature is logic “Or” for unique
algorithm, and logic “And” for multiple algorithm. Because I read some
resolver checks that a valid chain of trust exists for different algorithm
separately (like Unbound). Is it true? 


Best regards,


-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.dns-oarc.net/pipermail/dns-operations/attachments/20170601/17a8ed18/attachment.html>

More information about the dns-operations mailing list