[dns-operations] 答复: Double-signature validation "And" or "OR" ?
Davey Song(宋林健)
ljsong at biigroup.cn
Thu Jun 1 06:10:04 UTC 2017
Thank you for your reply. But not root zone has no parent and no DS of dot.
> A validator can choose OR or AND but it must use the DS records to
determine
> the set of algorithms that are active rather than those in the DNSKEY
RRset.
> The two sets can be different.
More specifically if there are two RRSIG for DS and NSEC of TLDs in root
zone, how validator works? Can BIND be configured to choose "AND" which
means two RRSIG should be validated before it accept a RRset?
Davey
More information about the dns-operations
mailing list