-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 On 05/07/2011 10:13 AM, W.C.A. Wijngaards wrote: > On 05/06/2011 04:09 PM, Stephane Bortzmeyer wrote: >> In an (involuntary) experiment under .FR, I discovered that the rule >> "at least one DS must match for a child zone to be authenticated" is >> wrong if a broken DS is present. In our case, the field Algorithm in >> the DS did not match the one in the DNSKEY. While there was another >> correct DS for the child zone, Unbound 1.4.6 servfails. So, the >> incorrect DS made the child zone bogus. > > This should not happen, can you send me details, the DS records involved > (and perhaps the DNSKEY records) ? They are of the same algorithm, I > assume?
Stephane sent me details off-list. Turns out to be the RFC4509 rules that unbound follows, that intends to avoid downgrade attacks. Here it caused a failure though one record was correct. Best regards, Wouter -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.11 (GNU/Linux) Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org/ iQIcBAEBAgAGBQJNx8GaAAoJEJ9vHC1+BF+NtL8P/jeej8RfJT+EENinrKifiSET dWpk7TSNbP7FIi1dxTrXPXWBB0e++YEHbP+RqUvPLuK5PXvkfdYQg/ntgABoMWkI SH511zB7LcBCLl2gw4NPopdDmv4Brj64Fwi+iZO5mzZpYBRl+s49s+Opcjzr2m6X aQktmj/Emwj4bN7K7a+J4KDr6xJCGHaQbjDpxmq4I+ohfoBVsyAPWQeXbwHSH3+T REqYLNNDR/oEPbVAP+3RLffm2PgGJKt538hux1I54rCHR9eKItBiHZ/o8Ex/Hr+u 4vRF4je0BWckQ757jypsV2U5ASQy2M2aTsCehvlOsRXoDjJ1dzQ5WcWHBdXUQwo6 DLKe6wEDm3hbOF02QLBm3oC6h7BHCXJbCuus4VJQAa6iOwxrd4hPUBKuELzDx7tz x9nB6XAmeMW8SqGCA2Skt1jFaBtJSPmJkRS32vv1PV3OGmJ6M5M1d0vjy5A13F3O 3GeAmBCHsMxicXxNyYcCZnXzrb+yfxNUIdaApRfrq/COzjjCxW0G4YBHSb0jCRww AJByculAPpm21CDOBTK49eiNNOTrAhRijRtoDosXTB8wEAVyskkBIRn3c7dXwOTr AWOH9yroyCSo3YQVOW7vEGqeMGKftkGpScr+sJuL+CukRT5DeJWRTDnlAbI+S5te TVGGy5Qq8MMYAYWlAcL1 =tFEJ -----END PGP SIGNATURE----- _______________________________________________ Unbound-users mailing list [email protected] http://unbound.nlnetlabs.nl/mailman/listinfo/unbound-users
