problem registering DS records with EDUCAUSE, sanity check please
Mark Andrews
marka at isc.org
Tue Jul 15 23:36:34 UTC 2014
In message <070d01cfa067$ad9b1050$08d130f0$@acm.org>, "Paul B. Henson" writes:
> > From: Stephane Bortzmeyer
> > Sent: Tuesday, July 15, 2014 12:43 AM
> >
> > You can also note that it is quite common to publish DS without any
> > matching KSK. It is even documented in RFC 6781, section 4.2.4. For an
> > actual example, see .UK <http://dnsviz.net/d/uk/dnssec/> (the yellow
> > path).
>
> Interesting, my understanding was that if there was a dangling DS record in
> the parent that did not match a published DNSKEY in the child a validating
> client might consider the zone bogus and refuse to resolve it.
There has to a working combination of DS/DNSKEY/RRSIG for each
DNSSEC algorithm listed in the DS RRset. DS records without a
matching DNSKEY or matching RRSIG cause validators to do more work.
--
Mark Andrews, ISC
1 Seymour St., Dundas Valley, NSW 2117, Australia
PHONE: +61 2 9871 4742 INTERNET: marka at isc.org
More information about the bind-users
mailing list