Skip to content

Commit

Permalink
- Fix #986: Resolving sas.com with dnssec-validation fails though
Browse files Browse the repository at this point in the history 
  signed delegations seem to be (mostly) correct.
  • Loading branch information
@wcawijngaards
wcawijngaards committed Jan 30, 2025
1 parent 35dbbcb commit 01cea4d
Show file tree
Hide file tree
Showing 2 changed files with 5 additions and 1 deletion.
4 changes: 4 additions & 0 deletions doc/Changelog
View file
Original file line number Diff line number Diff line change
@@ -1,3 +1,7 @@
30 January 2025: Wouter
- Fix #986: Resolving sas.com with dnssec-validation fails though
signed delegations seem to be (mostly) correct.

29 January 2025: Yorgos
- Make the default value of module-config "validator iterator"
regardless of compilation options. --enable-subnet would implicitly
Expand Down
2 changes: 1 addition & 1 deletion doc/unbound.conf.5.in
View file
Original file line number Diff line number Diff line change
Expand Up @@ -1111,7 +1111,7 @@ This works by first choosing only the strongest DS digest type as per RFC 4509
(Unbound treats the highest algorithm as the strongest) and then
expecting signatures from all the advertised signing algorithms from the chosen
DS(es) to be present.
If no, allows any algorithm to validate the zone.
If no, allows any one supported algorithm to validate the zone, even if other advertised algorithms are broken.
Default is no.
RFC 6840 mandates that zone signers must produce zones signed with all
advertised algorithms, but sometimes they do not.
Expand Down

0 comments on commit 01cea4d

Please sign in to comment.