Maintained by: NLnet Labs

[Unbound-users] Should we really validate with a revoked TA

W.C.A. Wijngaards
Thu Aug 5 09:05:24 CEST 2010


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Hi Stephan,

This is because of the discussion on dnsext, where I am asking if this
is the spec?

Your configuration sets a fixed trust anchor (with revoke flag) without
enabling 5011 for that domain name.  Thus unbound treats that flag just
like any other unknown flag (or like the SEP flag, that is, a hint for
operators.

If you had enabled 5011 for the domain it would have followed 5011 for
that revoke flag.

You think that 5011 applies to *all* domains?  Also non-trustanchors?
This discussion could better be on namedroppers.

Best regards,
   Wouter


On 08/05/2010 01:37 AM, Stephan Lagerholm wrote:
> DLV is was not used so it couldn't really be the problem.
> 
> Even if it would, the key in DLV (41992) is still active and correct.
> The revoked key is 35655 (was 35524 before it got revoked if I do the
> math correctly).
> 
> I say that the parser is wrong to accept a key with flag 385 at all.
> 
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2.0.14 (GNU/Linux)
Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org/

iEYEARECAAYFAkxaYrQACgkQkDLqNwOhpPiTMgCfXPuvZqicQSg3AsoB3QIFyh/K
0LcAn078QvHwTpLg6NQSVYv9C2S5RRE9
=AR2J
-----END PGP SIGNATURE-----