Sorry, I still cannot confirm the problem with Bind 9.7.3-P2 version ... 4 DS's in total, for each KSK 1 DS with SHA-1, one with SHA-2 for one KSK, the algorithm used was changed from 5 to 8.
(I needed to do extra change of output of "dnssec-dsfromkey", because that tool calculates the keyid and ended up with a value 3 higher then the one of the key in the child. But now, the same keyid is in the child zone and in the DS-record at the parent. And I still have authenticated (AD-bit) answers) Kind regards, Marc -----Original Message----- From: 'Stephane Bortzmeyer' [mailto:bortzme...@nic.fr] Sent: 09 May 2011 01:52 PM To: Marc Lampo Cc: bind-users@lists.isc.org Subject: Re: [DNSSEC] Resolver behavior with broken DS records On Mon, May 09, 2011 at 01:41:08PM +0200, Marc Lampo <marc.la...@eurid.eu> wrote a message of 28 lines which said: > So the "error" of the mismatched must be in the SHA-2 DS records ? Yes. > And *not* in the SHA-1's ? Or in both ? RFC 4509 section 3 gives a strong priority to SHA-2. So, there is no symmetry: the problem exists only if the invalid DS is the one hashed with SHA-2. _______________________________________________ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
