[DNSSEC] Resolver behavior with broken DS records
Tony Finch
dot at dotat.at
Mon May 9 14:08:00 UTC 2011
Marc Lampo <marc.lampo at eurid.eu> wrote:
> Sorry, I still cannot confirm the problem with Bind 9.7.3-P2 version ...
>
> 4 DS's in total,
> for each KSK 1 DS with SHA-1, one with SHA-2
> for one KSK, the algorithm used was changed from 5 to 8.
As I understand it the problem that Stephane reported occurred when the
single SHA-2 DS was broken but the single SHA-1 DS was correct but
disregarded by the validator. There is no fallback from SHA-2 DS to SHA-1
(RFC 4509 section 3) so if all SHA-2 DS records are broken the whole
domain is broken.
Tony.
--
f.anthony.n.finch <dot at dotat.at> http://dotat.at/
Rockall, Malin, Hebrides: South 5 to 7, occasionally gale 8 at first in
Rockall and Malin, veering west or northwest 4 or 5, then backing southwest 5
or 6 later. Rough or very rough. Occasional rain. Moderate or good,
occasionally poor.
More information about the bind-users
mailing list