> I via these found RFC4035:
> "If the resolver does not support any of the algorithms listed in an
> authenticated DS RRset, then the resolver will not be able to verify
> the authentication path to the child zone. In this case, the
> resolver SHOULD treat the child zone as if it were unsigned."
> So obviously dnsmasq doesn't implement this SHOULD, because it treats these
> zones as bogus and doesn't respond back to the client.
> (btw, what happens if the entire child zone and all its RRs are signed with
> an unknown algoritm, is that even covered in the above paragraph?)
On delegation, the resolver checks the DS records in the parent zone. If
the DS record set contains a supported algorithm, the child zone should
be treated as secure. If no algorithm in the set is supported, the zone should
be treated as insecure.
So what happens in this case is that the domain name space below
the delegation with unsupported DS algorithm will be treated as insecure.
DNSOP mailing list