[dnssec-deployment] About "no validation" for DNS root signing strategy
jakob at kirei.se
Thu Oct 8 10:39:08 EDT 2009
On 8 okt 2009, at 15.07, Thierry Moreau wrote:
> I'm afraid if you have different keys used for signing than the key
> values in the DNSKEY RRset, you either trigger "bogus" DNSSEC
> validation result or a DNSSEC protocol validation (i.e. a key tag on
> the RRSIG records that is absent from the DNSKEY RRset).
the current plan is to have matching keytags, so if someone would
configure the keys as a trust anchor the signatures would not validate
(but the resolver would try as the keytag match).
do you think we should address this case? that is, if someone would
configure this apparently bogus key and put it in their resolver.
Kirei AB - http://www.kirei.se/
More information about the Dnssec-deployment