| Subject: | Behavior of the BIND validating resolver when an unknown crypto algorithm is specified. |
Hello, Geoff --
This is Michael McNally from ISC -- we met at DNS-OARC and briefly
discussed a behavior you reported observing in BIND that was not acting
as expected. I told you when I returned from travel after the conference
that I would look into it and make sure the matter gets referred to the
developers for action, so I am beginning by creating this ticket in our
bug-tracking system to follow the issue.
Excuse me while I first restate the issue to make sure I understand your report:
As I understand it, while experimenting with BIND validation, you tested a
case where BIND was asked to validate DNSSEC records signed with an
unimplemented (actually bogus) cryptographic algorithm.
In violation of expectation, you received an error response, whereas what
BIND should be returning (by design) is an answer without validation flags set.
Is that a fair summary?
Michael McNally
ISC Support
This is Michael McNally from ISC -- we met at DNS-OARC and briefly
discussed a behavior you reported observing in BIND that was not acting
as expected. I told you when I returned from travel after the conference
that I would look into it and make sure the matter gets referred to the
developers for action, so I am beginning by creating this ticket in our
bug-tracking system to follow the issue.
Excuse me while I first restate the issue to make sure I understand your report:
As I understand it, while experimenting with BIND validation, you tested a
case where BIND was asked to validate DNSSEC records signed with an
unimplemented (actually bogus) cryptographic algorithm.
In violation of expectation, you received an error response, whereas what
BIND should be returning (by design) is an answer without validation flags set.
Is that a fair summary?
Michael McNally
ISC Support