Maintained by: NLnet Labs

[Unbound-users] [DNSSEC] BIND validates but not Unbound: who is right?

Stephane Bortzmeyer
Mon Feb 16 22:28:21 CET 2015

On Tue, Feb 17, 2015 at 07:34:37AM +1100,
 Mark Andrews <marka at> wrote 
 a message of 171 lines which said:

> The validator is *not* supposed to *check* if the zone has been
> signed with all the alogorithms in the DS RRset.  It is supposed to
> keep trying all RRSIG/DS/DNSKEY combinations until it succeeds.

For the record, the relevant RFC seems to be RFC 6840, section 5.11,
"A signed zone MUST include a DNSKEY for each algorithm present in the
zone's DS RRset and expected trust anchors for the zone.  The zone
MUST also be signed with each algorithm (though not each key) present
in the DNSKEY RRset."

It seems that the zone violated the first requirment (there was an
alg. 8 in the DS RRset but not in the DNSKEY RRset) but not the second
(there was only alg. 5 in the DNSKEY RRset).