[dns-operations] 答复: Double-signature validation "And" or "OR" ?

Mark Andrews marka at isc.org
Thu Jun 1 06:30:48 UTC 2017

In message <017f01d2da9d$b6e0eb80$24a2c280$@cn>, =?gb2312?B?RGF2ZXkgU29uZyjLzsH
WvaEp?= writes:
> Thank you for your reply. But not root zone has no parent and no DS of dot.
> > A validator can choose OR or AND but it must use the DS records to
> determine
> > the set of algorithms that are active rather than those in the DNSKEY
> RRset.
> > The two sets can be different.
> More specifically if there are two RRSIG for DS and NSEC of TLDs in root
> zone, how validator works?

Named works something like this to check a individual RRset.

	foreach RRSIG in RRSIGs
		if (check(RRSET, RRSIG)) then
	return (fail)

> Can BIND be configured to choose "AND" which
> means two RRSIG should be validated before it accept a RRset?

Named only implements OR.
> Davey  
Mark Andrews, ISC
1 Seymour St., Dundas Valley, NSW 2117, Australia
PHONE: +61 2 9871 4742                 INTERNET: marka at isc.org

More information about the dns-operations mailing list