[Unbound-users] dfas.mil DNSSEC Failure
casey at deccio.net
Fri Jun 28 14:37:24 UTC 2013
On Fri, Jun 28, 2013 at 7:18 AM, W.C.A. Wijngaards <wouter at nlnetlabs.nl> wrote:
> Unbound checks that the chain of trust uses the correct algorithm, as
> advertised by the DS record. The DS record advertises algorithm 7
> (only). The DNSKEY record set has keys for 7 and 8. The MX record is
> signed with only 8.
> Unbound is strict here, the DS record states that this chain of trust
> must be present (MUST in the RFC). It is not, bogus.
I realize this has been the subject of some discussion over the past
several years. RFC 6840  updates RFC 4035 to specify that this
requirement applies to signers, not to validators:
This requirement applies to servers, not validators. Validators
SHOULD accept any single valid path. They SHOULD NOT insist that all
algorithms signaled in the DS RRset work, and they MUST NOT insist
that all algorithms signaled in the DNSKEY RRset work. A validator
MAY have a configuration option to perform a signature completeness
test to support troubleshooting.
> Bind is more lenient here, and a signature whose algorithm was not
> advertised is fine.
> Best regards,
More information about the Unbound-users