[dns-operations] Double-signature validation "And" or "OR" ?

Paul Vixie paul at redbarn.org
Thu Jun 1 07:28:40 UTC 2017


On Thursday, June 1, 2017 3:16:39 AM GMT Mark Andrews wrote:
...
> 
> A validator can choose OR or AND but it must use the DS records to
> determine the set of algorithms that are active rather than those
> in the DNSKEY RRset.  The two sets can be different.

i assume you mean "verified trust path" since a static trust anchor or 
verified DLV chain would have the same effect as a DS RR in the above sense.

vixie



More information about the dns-operations mailing list