[dns-operations] 答复: 答复: 答复: Double-signature validation "And" or "OR" ?

Davey Song(宋林健) ljsong at biigroup.cn
Thu Jun 1 07:57:07 UTC 2017

Thanks, I got it. So there is a room for local resolver security policy. Do you know what open source DNS support this kind of policy. BIND does not have such option.

I understand that in most cases resolver doesn't make trouble to double check the rrisg RRs given that the signatures are usually signed by one entity for key rollover for example, due to unique trust anchor. I'm thinking about a corner case where it make sense if the signatures are signed by different entities which constitute a trust anchor by a union. 


> -----邮件原件-----
> 发件人: Mukund Sivaraman [mailto:muks at isc.org]
> 发送时间: 2017年6月1日 15:27
> 收件人: Davey Song(宋林健)
> 抄送: 'Mark Andrews'; dns-operations at dns-oarc.net
> 主题: Re: [dns-operations] 答复: 答复: Double-signature validation "And" or
> "OR" ?
> Hi Davey
> On Thu, Jun 01, 2017 at 02:40:03PM +0800, Davey Song(宋林健) wrote:
> > OK. I understand. It sounds to me that the DNSSEC validation logic is
> > depend on implementation , but not required in DNSSEC specification, right ?
> RFC 4035 section 5 covers validator behavior. E.g., in section 5.3.3.
> Checking the Signature:
>    If other RRSIG RRs also cover this RRset, the local resolver security
>    policy determines whether the resolver also has to test these RRSIG
>    RRs and how to resolve conflicts if these RRSIG RRs lead to differing
>    results.
> 		Mukund

More information about the dns-operations mailing list