[dns-operations] 答复: Double-signature validation "And" or "OR" ?

[Mark Andrews]

The root zone has published trust anchors which perform the same
role as DS records.  Named validates the DNSKEY RRset against these
and validates the rest of the root zone against the DNSKEY RRet.

Mark

In message <20170601063048.B8AEF7AAFA7F at rock.dv.isc.org>, Mark Andrews writes:
> 
> In message <017f01d2da9d$b6e0eb80$24a2c280$@cn>, =?gb2312?B?RGF2ZXkgU29uZyjLzsH
> WvaEp?= writes:
> > Thank you for your reply. But not root zone has no parent and no DS of dot.
> > 
> > > A validator can choose OR or AND but it must use the DS records to
> > determine
> > > the set of algorithms that are active rather than those in the DNSKEY
> > RRset.
> > > The two sets can be different.
> > 
> > More specifically if there are two RRSIG for DS and NSEC of TLDs in root
> > zone, how validator works?
> 
> Named works something like this to check a individual RRset.
> 
> 	foreach RRSIG in RRSIGs
> 		if (check(RRSET, RRSIG)) then
> 			return(ok)
> 	return (fail)
> 
> > Can BIND be configured to choose "AND" which
> > means two RRSIG should be validated before it accept a RRset?
> 
> Named only implements OR.
>  
> > Davey  
> -- 
> Mark Andrews, ISC
> 1 Seymour St., Dundas Valley, NSW 2117, Australia
> PHONE: +61 2 9871 4742                 INTERNET: marka at isc.org
> _______________________________________________
> dns-operations mailing list
> dns-operations at lists.dns-oarc.net
> https://lists.dns-oarc.net/mailman/listinfo/dns-operations
> dns-operations mailing list
> https://lists.dns-oarc.net/mailman/listinfo/dns-operations
-- 
Mark Andrews, ISC
1 Seymour St., Dundas Valley, NSW 2117, Australia
PHONE: +61 2 9871 4742                 INTERNET: marka at isc.org