[dns-operations] 答复: 答复: Double-signature validation "And" or "OR" ?

Davey Song(宋林健) ljsong at biigroup.cn
Thu Jun 1 06:40:03 UTC 2017


OK. I understand. It sounds to me that the DNSSEC validation logic is depend
on implementation , but not required in DNSSEC specification, right ?

Davey
> -----邮件原件-----
> 发件人: Mark Andrews [mailto:marka at isc.org]
> 发送时间: 2017年6月1日 14:31
> 收件人: Davey Song(宋林健)
> 抄送: dns-operations at dns-oarc.net
> 主题: Re: 答复: [dns-operations] Double-signature validation "And" or "OR"
?
> 
> 
> In message <017f01d2da9d$b6e0eb80$24a2c280$@cn>,
> =?gb2312?B?RGF2ZXkgU29uZyjLzsH WvaEp?= writes:
> > Thank you for your reply. But not root zone has no parent and no DS of
dot.
> >
> > > A validator can choose OR or AND but it must use the DS records to
> > determine
> > > the set of algorithms that are active rather than those in the
> > > DNSKEY
> > RRset.
> > > The two sets can be different.
> >
> > More specifically if there are two RRSIG for DS and NSEC of TLDs in
> > root zone, how validator works?
> 
> Named works something like this to check a individual RRset.
> 
> 	foreach RRSIG in RRSIGs
> 		if (check(RRSET, RRSIG)) then
> 			return(ok)
> 	return (fail)
> 
> > Can BIND be configured to choose "AND" which means two RRSIG should be
> > validated before it accept a RRset?
> 
> Named only implements OR.
> 
> > Davey
> --
> Mark Andrews, ISC
> 1 Seymour St., Dundas Valley, NSW 2117, Australia
> PHONE: +61 2 9871 4742                 INTERNET: marka at isc.org







More information about the dns-operations mailing list