Maintained by: NLnet Labs

[Unbound-users] Should we really validate with a revoked TA

Paul Wouters
Thu Aug 5 00:23:08 CEST 2010


On Wed, 4 Aug 2010, Stephan Lagerholm wrote:

> Admittedly miss configured but unbound validates www.secure64.com when a revoked DNSKEY is used as a trust anchor, see
> attached unbound.conf.
> 
>  
> 
> Isn’t that a violation of 5011 section 2.1?
>
>  “Once the resolver sees the REVOKE bit, it MUST NOT use this key as a trust anchor or for any other purpose”

I am not entirely sure how the unbound logic works. But it seems like this might be happening
because the trust anchor that is revoked (key tag 41992) comes in via DLV. But yes, technically,
this should be a ServFail.

I trust you will add logic to look up the DLV record before allowing one to finish a KSK rollover :)

Paul