Hi, Together with my colleagues I have been stumbling upon a, for me, unclear case when validating trust anchors.
Assuming that a resolver has enabled DNSSEC validation and has the root keys configured. Additionally, it has configured manually a trust anchor for a TLD (that has also published its DS in the root zone). Now, for example due to a key rollover at the TLD, the manually configured trust anchor of the TLD does not match the DS in the root anymore. How should a resolver treat the signatures of this TLD? The resolvers of BIND, Unbound, and PowerDNS seem to treat the signatures of the TLD as bogus, but we didn't find any specifics in RFC 4034 and 4035 that describe how resolvers should behave in this case. Knot resolver treats them as NOERROR (according to the developers). If we interpret section 4.3 of RFC 4035 then we would have assumed that the signature must be treated as secure. Did we miss something, or is there indeed clarification needed? — Moritz
signature.asc
Description: Message signed with OpenPGP
_______________________________________________ DNSOP mailing list DNSOP@ietf.org https://www.ietf.org/mailman/listinfo/dnsop
