To put more detail on this the DS is *only* used to verify the DNSKEY
RRset. As long as that returns trusted *every* DNSKEY in that RRset is
valid for verifying the rest of the zone. There is NO requirement to
look at the DS RRset when verifying anything other than the DNSKEY
RRset.
TA -> DNSKEY
Well if you are attacking the resolver by sending invalid RRSIGs ...
> On 15 Feb 2024, at 11:15, Matt Nordhoff via bind-users
> wrote:
>
> Hello,
>
> I'm not sure if this is a bug or a feature, but the recent CVE fixes
> prevent resolving paste.debian.net with DNSSEC validation on.
>
> It is
2 matches
Mail list logo
