In message <[email protected]>, "Paul B. Henson" writes: > > From: Stephane Bortzmeyer > > Sent: Tuesday, July 15, 2014 12:43 AM > > > > You can also note that it is quite common to publish DS without any > > matching KSK. It is even documented in RFC 6781, section 4.2.4. For an > > actual example, see .UK <http://dnsviz.net/d/uk/dnssec/> (the yellow > > path). > > Interesting, my understanding was that if there was a dangling DS record in > the parent that did not match a published DNSKEY in the child a validating > client might consider the zone bogus and refuse to resolve it.
There has to a working combination of DS/DNSKEY/RRSIG for each DNSSEC algorithm listed in the DS RRset. DS records without a matching DNSKEY or matching RRSIG cause validators to do more work. -- Mark Andrews, ISC 1 Seymour St., Dundas Valley, NSW 2117, Australia PHONE: +61 2 9871 4742 INTERNET: [email protected] _______________________________________________ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list [email protected] https://lists.isc.org/mailman/listinfo/bind-users
