RE: [DNSSEC] Resolver behavior with broken DS records

2011-05-09 Thread Tony Finch
Marc Lampo wrote: > Sorry, I still cannot confirm the problem with Bind 9.7.3-P2 version ... > > 4 DS's in total, > for each KSK 1 DS with SHA-1, one with SHA-2 > for one KSK, the algorithm used was changed from 5 to 8. As I understand it the problem that Stephane reported occurred when the sing

Re: [DNSSEC] Resolver behavior with broken DS records

2011-05-09 Thread 'Stephane Bortzmeyer'
On Mon, May 09, 2011 at 03:33:21PM +0200, Marc Lampo wrote a message of 38 lines which said: > 4 DS's in total, > for each KSK 1 DS with SHA-1, one with SHA-2 > for one KSK, the algorithm used was changed from 5 to 8. If I understand well, you have two KSK. In that case, yes, it should work (

RE: [DNSSEC] Resolver behavior with broken DS records

2011-05-09 Thread Marc Lampo
yer' [mailto:bortzme...@nic.fr] Sent: 09 May 2011 01:52 PM To: Marc Lampo Cc: bind-users@lists.isc.org Subject: Re: [DNSSEC] Resolver behavior with broken DS records On Mon, May 09, 2011 at 01:41:08PM +0200, Marc Lampo wrote a message of 28 lines which said: > So the "error" of

RE: [DNSSEC] Resolver behavior with broken DS records

2011-05-09 Thread Marc Lampo
'Stephane Bortzmeyer' [mailto:bortzme...@nic.fr] Sent: 09 May 2011 01:46 PM To: Marc Lampo Cc: bind-users@lists.isc.org Subject: Re: [DNSSEC] Resolver behavior with broken DS records On Mon, May 09, 2011 at 01:00:03PM +0200, Marc Lampo wrote a message of 47 lines which said: > 1

Re: [DNSSEC] Resolver behavior with broken DS records

2011-05-09 Thread 'Stephane Bortzmeyer'
On Mon, May 09, 2011 at 01:00:03PM +0200, Marc Lampo wrote a message of 47 lines which said: > 1 correct DS record, > 1 DS record, correct in everything but the algorithm And one DS record hashed with SHA-1 and one hashed with SHA-2? This was necessary to trigger the problem, because of RFC

Re: [DNSSEC] Resolver behavior with broken DS records

2011-05-09 Thread 'Stephane Bortzmeyer'
On Mon, May 09, 2011 at 01:41:08PM +0200, Marc Lampo wrote a message of 28 lines which said: > So the "error" of the mismatched must be in the SHA-2 DS records ? Yes. > And *not* in the SHA-1's ? Or in both ? RFC 4509 section 3 gives a strong priority to SHA-2. So, there is no symmetry: th

RE: [DNSSEC] Resolver behavior with broken DS records

2011-05-09 Thread Marc Lampo
Sent: 06 May 2011 03:40 PM To: bind-users@lists.isc.org Subject: [DNSSEC] Resolver behavior with broken DS records In an (involuntary) experiment under .FR, I discovered that the rule "at least one DS must match for a child zone to be authenticated" is wrong if a broken DS is present.

[DNSSEC] Resolver behavior with broken DS records

2011-05-06 Thread Stephane Bortzmeyer
In an (involuntary) experiment under .FR, I discovered that the rule "at least one DS must match for a child zone to be authenticated" is wrong if a broken DS is present. In our case, the field Algorithm in the DS did not match the one in the DNSKEY. While there was another correct DS for the child