One DS +DNSKEY is sufficient, others are ignored as they can be for past or future keys. The only exception is when the DS records are for multiple algorithms some implementations demand that all algorithms are working
Olafur On Thu, Jul 14, 2016 at 12:20 PM, Einar Bjarni Halldórsson <[email protected]> wrote: > Hi, > > I’ve looked and could not find an answer to my question anywhere. > > If there are multiple DS records in a parent, with different key tags, > where only one of the DS records has a corresponding DNSKEY record in the > child zone that correctly signs the DNSKEY RRSET, will validating resolvers > ignore the other DS records or could they cause responses from the child to > become invalid? > > .einar > ISNIC > _______________________________________________ > DNSOP mailing list > [email protected] > https://www.ietf.org/mailman/listinfo/dnsop >
_______________________________________________ DNSOP mailing list [email protected] https://www.ietf.org/mailman/listinfo/dnsop
