On Tue, Feb 17, 2015 at 07:34:37AM +1100, Mark Andrews <marka at isc.org> wrote a message of 171 lines which said: > The validator is *not* supposed to *check* if the zone has been > signed with all the alogorithms in the DS RRset. It is supposed to > keep trying all RRSIG/DS/DNSKEY combinations until it succeeds. For the record, the relevant RFC seems to be RFC 6840, section 5.11, "A signed zone MUST include a DNSKEY for each algorithm present in the zone's DS RRset and expected trust anchors for the zone. The zone MUST also be signed with each algorithm (though not each key) present in the DNSKEY RRset." It seems that the zone violated the first requirment (there was an alg. 8 in the DS RRset but not in the DNSKEY RRset) but not the second (there was only alg. 5 in the DNSKEY RRset).