[DNSSEC] Resolver behavior with broken DS records
'Stephane Bortzmeyer'
bortzmeyer at nic.fr
Mon May 9 11:51:31 UTC 2011
On Mon, May 09, 2011 at 01:41:08PM +0200,
Marc Lampo <marc.lampo at eurid.eu> wrote
a message of 28 lines which said:
> So the "error" of the mismatched must be in the SHA-2 DS records ?
Yes.
> And *not* in the SHA-1's ? Or in both ?
RFC 4509 section 3 gives a strong priority to SHA-2. So, there is no
symmetry: the problem exists only if the invalid DS is the one hashed
with SHA-2.
More information about the bind-users
mailing list