[dns-operations] 答复: 答复: Double-signature validation "And" or "OR" ?

Mukund Sivaraman muks at isc.org
Thu Jun 1 07:26:45 UTC 2017

Hi Davey

On Thu, Jun 01, 2017 at 02:40:03PM +0800, Davey Song(宋林健) wrote:
> OK. I understand. It sounds to me that the DNSSEC validation logic is depend
> on implementation , but not required in DNSSEC specification, right ?

RFC 4035 section 5 covers validator behavior. E.g., in section 5.3.3.
Checking the Signature:

   If other RRSIG RRs also cover this RRset, the local resolver security
   policy determines whether the resolver also has to test these RRSIG
   RRs and how to resolve conflicts if these RRSIG RRs lead to differing


More information about the dns-operations mailing list