[Unbound-users] [DNSSEC] BIND validates but not Unbound: who is right?
Yuri Schaeffer
yuri at nlnetlabs.nl
Mon Feb 16 21:57:00 UTC 2015
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
>> The validator is *not* supposed to *check* if the zone has been
>> signed with all the alogorithms in the DS RRset. It is supposed
>> to keep trying all RRSIG/DS/DNSKEY combinations until it
>> succeeds
>
> For the record, the relevant RFC seems to be RFC 6840, section
> 5.11, "A signed zone MUST include a DNSKEY for each algorithm
> present in the zone's DS RRset and expected trust anchors for the
> zone. The zone MUST also be signed with each algorithm (though not
> each key) present in the DNSKEY RRset."
>
> It seems that the zone violated the first requirment (there was an
> alg. 8 in the DS RRset but not in the DNSKEY RRset) but not the
> second (there was only alg. 5 in the DNSKEY RRset).
It's only fair to include the rest of section 5.11:
This requirement applies to servers, not validators. Validators
SHOULD accept any single valid path. They SHOULD NOT insist that all
algorithms signaled in the DS RRset work, and they MUST NOT insist
that all algorithms signaled in the DNSKEY RRset work. A validator
MAY have a configuration option to perform a signature completeness
test to support troubleshooting.
Thus indeed "The validator is *not* supposed to *check* (...)". But it
does give the validator some leeway to actually enforce that MUST from
your quote. To come back at your question, who's right Unbound or
BIND?: Unbound is more strict. The authority was wrong.
//Yuri
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1
iEYEARECAAYFAlTiZ6wACgkQI3PTR4mhavh1iQCdFypZc1JaVTrsDBUQVdI/aEo+
sHcAn1w6hviO6T3kJDeztuX9R+/qvgMz
=N6uq
-----END PGP SIGNATURE-----
More information about the Unbound-users
mailing list