[Unbound-users] [DNSSEC] Resolver behavior with broken DS records
bortzmeyer at nic.fr
Mon May 9 11:42:21 UTC 2011
On Mon, May 09, 2011 at 12:43:43PM +0200,
lst_hoe02 at kwsoft.de <lst_hoe02 at kwsoft.de> wrote
a message of 34 lines which said:
> That means higher grade hashes were invalid and no fallback will be
> done to the lower grade in this case?
Correct. And this seem to be on purpose (to avoid a downgrade attack
altough, in typical DNSSEC fashion, this will break a valid zone
without enhancing security).
More information about the Unbound-users