Hi Rob, On Tue, 2025-11-11 at 13:30 +0100, rob777 via Pdns-users wrote: > If i have two DS Records for a domain at my registrar (let's assume > same algo) and one DS record is correct (Fully Validated Chain) and > the other is broken - will all recursors which validating DNSSEC work > all the time while querying my domain or will it work randomly/half > of the time (because one of the two DS Records is broken)...?
A proper security-aware resolver would validate the records properly. As that is the only way to do a key rollover. This requirement for having at least one valid path to a trust-anchor is laid out in RFC 4035, section 5.3.1[1]. Cheers, Pieter 1 - https://www.rfc-editor.org/rfc/rfc4035#section-5.3.1 _______________________________________________ Pdns-users mailing list [email protected] https://mailman.powerdns.com/mailman/listinfo/pdns-users
