[DNSSEC] Resolver behavior with broken DS records
Marc Lampo
marc.lampo at eurid.eu
Mon May 9 13:33:21 UTC 2011
Sorry, I still cannot confirm the problem with Bind 9.7.3-P2 version ...
4 DS's in total,
for each KSK 1 DS with SHA-1, one with SHA-2
for one KSK, the algorithm used was changed from 5 to 8.
(I needed to do extra change of output of "dnssec-dsfromkey",
because that tool calculates the keyid and ended up with a value 3 higher
then the one of the key in the child.
But now, the same keyid is in the child zone and in the DS-record at the
parent.
And I still have authenticated (AD-bit) answers)
Kind regards,
Marc
-----Original Message-----
From: 'Stephane Bortzmeyer' [mailto:bortzmeyer at nic.fr]
Sent: 09 May 2011 01:52 PM
To: Marc Lampo
Cc: bind-users at lists.isc.org
Subject: Re: [DNSSEC] Resolver behavior with broken DS records
On Mon, May 09, 2011 at 01:41:08PM +0200,
Marc Lampo <marc.lampo at eurid.eu> wrote
a message of 28 lines which said:
> So the "error" of the mismatched must be in the SHA-2 DS records ?
Yes.
> And *not* in the SHA-1's ? Or in both ?
RFC 4509 section 3 gives a strong priority to SHA-2. So, there is no
symmetry: the problem exists only if the invalid DS is the one hashed
with SHA-2.
More information about the bind-users
mailing list