>It sounds like clarification is needed if even one (much less three) >systems treat such a signature as Bogus. My reading of RFC 4035 is that >any chain that successfully leads to a trust anchor should return >Secure, even if a different chain returns Bogus.
If extra trust anchors are configured for security reasons (as opposed to availability) then I would expect some sort of longest match on the trust anchor that is to be used. For example, if I configure a trust anchor for example.com for security reasons, then that is probably because I don't fully trust the .com zone or even the root zone. If then a record fails to validate using the trust anchor that is configured for example.com, then it would be very bad if the resolver turns around and suddenly trusts the information from the .com zone. _______________________________________________ DNSOP mailing list DNSOP@ietf.org https://www.ietf.org/mailman/listinfo/dnsop