Maintained by: NLnet Labs

[Unbound-users] [DNSSEC] BIND validates but not Unbound: who is right?

Yuri Schaeffer
Mon Feb 16 22:57:00 CET 2015


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

>> The validator is *not* supposed to *check* if the zone has been 
>> signed with all the alogorithms in the DS RRset.  It is supposed
>> to keep trying all RRSIG/DS/DNSKEY combinations until it
>> succeeds
> 
> For the record, the relevant RFC seems to be RFC 6840, section
> 5.11, "A signed zone MUST include a DNSKEY for each algorithm
> present in the zone's DS RRset and expected trust anchors for the
> zone.  The zone MUST also be signed with each algorithm (though not
> each key) present in the DNSKEY RRset."
> 
> It seems that the zone violated the first requirment (there was an 
> alg. 8 in the DS RRset but not in the DNSKEY RRset) but not the
> second (there was only alg. 5 in the DNSKEY RRset).

It's only fair to include the rest of section 5.11:

   This requirement applies to servers, not validators.  Validators
   SHOULD accept any single valid path.  They SHOULD NOT insist that all
   algorithms signaled in the DS RRset work, and they MUST NOT insist
   that all algorithms signaled in the DNSKEY RRset work.  A validator
   MAY have a configuration option to perform a signature completeness
   test to support troubleshooting.

Thus indeed "The validator is *not* supposed to *check* (...)". But it
does give the validator some leeway to actually enforce that MUST from
your quote. To come back at your question, who's right Unbound or
BIND?: Unbound is more strict. The authority was wrong.

//Yuri
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1

iEYEARECAAYFAlTiZ6wACgkQI3PTR4mhavh1iQCdFypZc1JaVTrsDBUQVdI/aEo+
sHcAn1w6hviO6T3kJDeztuX9R+/qvgMz
=N6uq
-----END PGP SIGNATURE-----