On 28/06/13 15:18, W.C.A. Wijngaards wrote:
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Hi Ehren,
On 06/28/2013 03:47 PM, Ehren Hawks wrote:
Yesterday a customer of ours reported they couldn’t get to
*mypay.dfas.mil*. Upon looking into it I see both of my Unbound
servers are returning SERVFAIL. Given the type of sight this is I
suspected this to be a possible DNSSEC issue. I verified there’s an
issue here:
Unbound checks that the chain of trust uses the correct algorithm, as
advertised by the DS record. The DS record advertises algorithm 7
(only). The DNSKEY record set has keys for 7 and 8. The MX record is
signed with only 8.
Unbound is strict here, the DS record states that this chain of trust
must be present (MUST in the RFC). It is not, bogus.
Does the RFC really intend to enforce that algo transition can only take
place at a DS record, even with valid DNSKEY/RRSIG pairs all the way down?
_______________________________________________
Unbound-users mailing list
[email protected]
http://unbound.nlnetlabs.nl/mailman/listinfo/unbound-users
