Maintained by: NLnet Labs

[Unbound-users] Should we really validate with a revoked TA

Stephan Lagerholm
Wed Aug 4 23:31:56 CEST 2010


Admittedly miss configured but unbound validates www.secure64.com
<http://www.secure64.com/>  when a revoked DNSKEY is used as a trust
anchor, see attached unbound.conf.

 

Isn't that a violation of 5011 section 2.1?

"Once the resolver sees the REVOKE bit, it MUST NOT use this key as a
trust anchor or for any other purpose"

 

/Stephan

----------------------------------------------------------------------

Stephan Lagerholm

Senior DNS Architect, M.Sc. ,CISSP

Secure64 Software Corporation, www.secure64.com

Cell: 469-834-3940

 

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://unbound.nlnetlabs.nl/pipermail/unbound-users/attachments/20100804/dd68e0b3/attachment-0001.htm>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: unbound.conf
Type: application/octet-stream
Size: 335 bytes
Desc: unbound.conf
URL: <http://unbound.nlnetlabs.nl/pipermail/unbound-users/attachments/20100804/dd68e0b3/attachment-0001.obj>