DLV is was not used so it couldn't really be the problem. Even if it would, the key in DLV (41992) is still active and correct. The revoked key is 35655 (was 35524 before it got revoked if I do the math correctly).
I say that the parser is wrong to accept a key with flag 385 at all. /S ---------------------------------------------------------------------- Stephan Lagerholm Senior DNS Architect, M.Sc. ,CISSP Secure64 Software Corporation, www.secure64.com Cell: 469-834-3940 > -----Original Message----- > From: Paul Wouters [mailto:[email protected]] > Sent: Wednesday, August 04, 2010 5:23 PM > To: Stephan Lagerholm > Cc: [email protected] > Subject: Re: [Unbound-users] Should we really validate with a revoked TA > > On Wed, 4 Aug 2010, Stephan Lagerholm wrote: > > > Admittedly miss configured but unbound validates www.secure64.com when a > revoked DNSKEY is used as a trust anchor, see > > attached unbound.conf. > > > > > > > > Isn't that a violation of 5011 section 2.1? > > > > "Once the resolver sees the REVOKE bit, it MUST NOT use this key as a > trust anchor or for any other purpose" > > I am not entirely sure how the unbound logic works. But it seems like this > might be happening > because the trust anchor that is revoked (key tag 41992) comes in via DLV. > But yes, technically, > this should be a ServFail. > > I trust you will add logic to look up the DLV record before allowing one > to finish a KSK rollover :) > > Paul _______________________________________________ Unbound-users mailing list [email protected] http://unbound.nlnetlabs.nl/mailman/listinfo/unbound-users
