Hi Wouters, On Fri, Jun 28, 2013 at 7:18 AM, W.C.A. Wijngaards <[email protected]> wrote: > > Unbound checks that the chain of trust uses the correct algorithm, as > advertised by the DS record. The DS record advertises algorithm 7 > (only). The DNSKEY record set has keys for 7 and 8. The MX record is > signed with only 8. > > Unbound is strict here, the DS record states that this chain of trust > must be present (MUST in the RFC). It is not, bogus. >
I realize this has been the subject of some discussion over the past several years. RFC 6840 [1] updates RFC 4035 to specify that this requirement applies to signers, not to validators: This requirement applies to servers, not validators. Validators SHOULD accept any single valid path. They SHOULD NOT insist that all algorithms signaled in the DS RRset work, and they MUST NOT insist that all algorithms signaled in the DNSKEY RRset work. A validator MAY have a configuration option to perform a signature completeness test to support troubleshooting. Casey [1] http://tools.ietf.org/html/rfc6840#section-5.11 > Bind is more lenient here, and a signature whose algorithm was not > advertised is fine. > > Best regards, > Wouter _______________________________________________ Unbound-users mailing list [email protected] http://unbound.nlnetlabs.nl/mailman/listinfo/unbound-users
