On 28/06/13 15:18, W.C.A. Wijngaards wrote: > -----BEGIN PGP SIGNED MESSAGE----- > Hash: SHA1 > > Hi Ehren, > > On 06/28/2013 03:47 PM, Ehren Hawks wrote: >> Yesterday a customer of ours reported they couldn’t get to >> *mypay.dfas.mil*. Upon looking into it I see both of my Unbound >> servers are returning SERVFAIL. Given the type of sight this is I >> suspected this to be a possible DNSSEC issue. I verified there’s an >> issue here: > > Unbound checks that the chain of trust uses the correct algorithm, as > advertised by the DS record. The DS record advertises algorithm 7 > (only). The DNSKEY record set has keys for 7 and 8. The MX record is > signed with only 8. > > Unbound is strict here, the DS record states that this chain of trust > must be present (MUST in the RFC). It is not, bogus. Does the RFC really intend to enforce that algo transition can only take place at a DS record, even with valid DNSKEY/RRSIG pairs all the way down?