In message <20150216212821.ga27...@nic.fr>, Stephane Bortzmeyer writes: > On Tue, Feb 17, 2015 at 07:34:37AM +1100, > Mark Andrews <ma...@isc.org> wrote > a message of 171 lines which said: > > > The validator is *not* supposed to *check* if the zone has been > > signed with all the alogorithms in the DS RRset. It is supposed to > > keep trying all RRSIG/DS/DNSKEY combinations until it succeeds. > > For the record, the relevant RFC seems to be RFC 6840, section 5.11, > "A signed zone MUST include a DNSKEY for each algorithm present in the > zone's DS RRset and expected trust anchors for the zone. The zone > MUST also be signed with each algorithm (though not each key) present > in the DNSKEY RRset."
That is a instruction to the signer. It is NOT a instuction to the validator to check. > It seems that the zone violated the first requirment (there was an > alg. 8 in the DS RRset but not in the DNSKEY RRset) but not the second > (there was only alg. 5 in the DNSKEY RRset). > > -- Mark Andrews, ISC 1 Seymour St., Dundas Valley, NSW 2117, Australia PHONE: +61 2 9871 4742 INTERNET: ma...@isc.org _______________________________________________ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
