Marc Lampo <marc.la...@eurid.eu> wrote: > Sorry, I still cannot confirm the problem with Bind 9.7.3-P2 version ... > > 4 DS's in total, > for each KSK 1 DS with SHA-1, one with SHA-2 > for one KSK, the algorithm used was changed from 5 to 8.
As I understand it the problem that Stephane reported occurred when the single SHA-2 DS was broken but the single SHA-1 DS was correct but disregarded by the validator. There is no fallback from SHA-2 DS to SHA-1 (RFC 4509 section 3) so if all SHA-2 DS records are broken the whole domain is broken. Tony. -- f.anthony.n.finch <d...@dotat.at> http://dotat.at/ Rockall, Malin, Hebrides: South 5 to 7, occasionally gale 8 at first in Rockall and Malin, veering west or northwest 4 or 5, then backing southwest 5 or 6 later. Rough or very rough. Occasional rain. Moderate or good, occasionally poor. _______________________________________________ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
