[dns-operations] 答复: 答复: Double-signature validation "And" or "OR" ?

Mark Andrews marka at isc.org
Thu Jun 1 07:12:02 UTC 2017


In message <018601d2daa1$e73adcb0$b5b09610$@cn>, =?gb2312?B?RGF2ZXkgU29uZyjLzsHWvaEp?= writes:
> OK. I understand. It sounds to me that the DNSSEC validation logic is =
> depend
> on implementation , but not required in DNSSEC specification, right ?

There are parts that are specified and parts that are implementation
choice.  If you read the RFC's the parts that are implemention
and/or operator choice are spelt out.

Mark

> Davey
> > -----=D3=CA=BC=FE=D4=AD=BC=FE-----
> > =B7=A2=BC=FE=C8=CB: Mark Andrews [mailto:marka at isc.org]
> > =B7=A2=CB=CD=CA=B1=BC=E4: 2017=C4=EA6=D4=C21=C8=D5 14:31
> > =CA=D5=BC=FE=C8=CB: Davey Song(=CB=CE=C1=D6=BD=A1)
> > =B3=AD=CB=CD: dns-operations at dns-oarc.net
> > =D6=F7=CC=E2: Re: =B4=F0=B8=B4: [dns-operations] Double-signature =
> validation "And" or "OR"
> ?
> >=20
> >=20
> > In message <017f01d2da9d$b6e0eb80$24a2c280$@cn>,
> > =3D?gb2312?B?RGF2ZXkgU29uZyjLzsH WvaEp?=3D writes:
> > > Thank you for your reply. But not root zone has no parent and no DS =
> of
> dot.
> > >
> > > > A validator can choose OR or AND but it must use the DS records to
> > > determine
> > > > the set of algorithms that are active rather than those in the
> > > > DNSKEY
> > > RRset.
> > > > The two sets can be different.
> > >
> > > More specifically if there are two RRSIG for DS and NSEC of TLDs in
> > > root zone, how validator works?
> >=20
> > Named works something like this to check a individual RRset.
> >=20
> > 	foreach RRSIG in RRSIGs
> > 		if (check(RRSET, RRSIG)) then
> > 			return(ok)
> > 	return (fail)
> >=20
> > > Can BIND be configured to choose "AND" which means two RRSIG should =
> be
> > > validated before it accept a RRset?
> >=20
> > Named only implements OR.
> >=20
> > > Davey
> > --
> > Mark Andrews, ISC
> > 1 Seymour St., Dundas Valley, NSW 2117, Australia
> > PHONE: +61 2 9871 4742                 INTERNET: marka at isc.org
> 
> 
> 
-- 
Mark Andrews, ISC
1 Seymour St., Dundas Valley, NSW 2117, Australia
PHONE: +61 2 9871 4742                 INTERNET: marka at isc.org



More information about the dns-operations mailing list