[dns-operations] 答复: Double-signature validation "And" or "OR" ?
Mark Andrews
marka at isc.org
Thu Jun 1 06:30:48 UTC 2017
In message <017f01d2da9d$b6e0eb80$24a2c280$@cn>, =?gb2312?B?RGF2ZXkgU29uZyjLzsH
WvaEp?= writes:
> Thank you for your reply. But not root zone has no parent and no DS of dot.
>
> > A validator can choose OR or AND but it must use the DS records to
> determine
> > the set of algorithms that are active rather than those in the DNSKEY
> RRset.
> > The two sets can be different.
>
> More specifically if there are two RRSIG for DS and NSEC of TLDs in root
> zone, how validator works?
Named works something like this to check a individual RRset.
foreach RRSIG in RRSIGs
if (check(RRSET, RRSIG)) then
return(ok)
return (fail)
> Can BIND be configured to choose "AND" which
> means two RRSIG should be validated before it accept a RRset?
Named only implements OR.
> Davey
--
Mark Andrews, ISC
1 Seymour St., Dundas Valley, NSW 2117, Australia
PHONE: +61 2 9871 4742 INTERNET: marka at isc.org
More information about the dns-operations
mailing list