[dns-operations] 答复: Double-signature validation "And" or "OR" ?

Davey Song(宋林健) ljsong at biigroup.cn
Thu Jun 1 06:10:04 UTC 2017

Thank you for your reply. But not root zone has no parent and no DS of dot.

> A validator can choose OR or AND but it must use the DS records to
> the set of algorithms that are active rather than those in the DNSKEY
> The two sets can be different.

More specifically if there are two RRSIG for DS and NSEC of TLDs in root
zone, how validator works? Can BIND be configured to choose "AND" which
means two RRSIG should be validated before it accept a RRset?


More information about the dns-operations mailing list