Maintained by: NLnet Labs

[Unbound-users] [DNSSEC] Resolver behavior with broken DS records

Stephane Bortzmeyer
Mon May 9 13:42:21 CEST 2011


On Mon, May 09, 2011 at 12:43:43PM +0200,
 lst_hoe02 at kwsoft.de <lst_hoe02 at kwsoft.de> wrote 
 a message of 34 lines which said:

> That means higher grade hashes were invalid and no fallback will be
> done to the lower grade in this case?

Correct. And this seem to be on purpose (to avoid a downgrade attack
altough, in typical DNSSEC fashion, this will break a valid zone
without enhancing security).