[Unbound-users] Should we really validate with a revoked TA

Stephan Lagerholm stephan.lagerholm at secure64.com
Wed Aug 4 21:31:56 UTC 2010

Admittedly miss configured but unbound validates www.secure64.com
<http://www.secure64.com/>  when a revoked DNSKEY is used as a trust
anchor, see attached unbound.conf.


Isn't that a violation of 5011 section 2.1?

"Once the resolver sees the REVOKE bit, it MUST NOT use this key as a
trust anchor or for any other purpose"




Stephan Lagerholm

Senior DNS Architect, M.Sc. ,CISSP

Secure64 Software Corporation, www.secure64.com

Cell: 469-834-3940


-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.nlnetlabs.nl/pipermail/unbound-users/attachments/20100804/dd68e0b3/attachment.htm>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: unbound.conf
Type: application/octet-stream
Size: 335 bytes
Desc: unbound.conf
URL: <http://lists.nlnetlabs.nl/pipermail/unbound-users/attachments/20100804/dd68e0b3/attachment.obj>

More information about the Unbound-users mailing list