-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 >> The validator is *not* supposed to *check* if the zone has been >> signed with all the alogorithms in the DS RRset. It is supposed >> to keep trying all RRSIG/DS/DNSKEY combinations until it >> succeeds > > For the record, the relevant RFC seems to be RFC 6840, section > 5.11, "A signed zone MUST include a DNSKEY for each algorithm > present in the zone's DS RRset and expected trust anchors for the > zone. The zone MUST also be signed with each algorithm (though not > each key) present in the DNSKEY RRset." > > It seems that the zone violated the first requirment (there was an > alg. 8 in the DS RRset but not in the DNSKEY RRset) but not the > second (there was only alg. 5 in the DNSKEY RRset).
It's only fair to include the rest of section 5.11: This requirement applies to servers, not validators. Validators SHOULD accept any single valid path. They SHOULD NOT insist that all algorithms signaled in the DS RRset work, and they MUST NOT insist that all algorithms signaled in the DNSKEY RRset work. A validator MAY have a configuration option to perform a signature completeness test to support troubleshooting. Thus indeed "The validator is *not* supposed to *check* (...)". But it does give the validator some leeway to actually enforce that MUST from your quote. To come back at your question, who's right Unbound or BIND?: Unbound is more strict. The authority was wrong. //Yuri -----BEGIN PGP SIGNATURE----- Version: GnuPG v1 iEYEARECAAYFAlTiZ6wACgkQI3PTR4mhavh1iQCdFypZc1JaVTrsDBUQVdI/aEo+ sHcAn1w6hviO6T3kJDeztuX9R+/qvgMz =N6uq -----END PGP SIGNATURE----- _______________________________________________ Unbound-users mailing list [email protected] http://unbound.nlnetlabs.nl/mailman/listinfo/unbound-users
