Einar Bjarni Halldórsson <[email protected]> wrote:
>
> If there are multiple DS records in a parent, with different key tags,
> where only one of the DS records has a corresponding DNSKEY record in
> the child zone that correctly signs the DNSKEY RRSET, will validating
> resolvers ignore the other DS records or could they cause responses from
> the child to become invalid?
Normally any individual DS record is sufficient to authenticate the DNSKEY
RRset - the others can be ignored.
However if there are DS records of multiple different algorithms then at
least one DS record of each algorithm must authenticate the DNSKEY RRset.
Tony.
--
f.anthony.n.finch <[email protected]> http://dotat.at/ - I xn--zr8h punycode
Humber, Thames: Northwest 4 or 5, becoming variable 3 or 4, becoming southwest
4 or 5 later. Slight or moderate, occasionally smooth. Fair. Good.
_______________________________________________
DNSOP mailing list
[email protected]
https://www.ietf.org/mailman/listinfo/dnsop
