Maintained by: NLnet Labs

[Unbound-users] Should we really validate with a revoked TA

Stephan Lagerholm
Wed Aug 4 23:31:56 CEST 2010

Admittedly miss configured but unbound validates
<>  when a revoked DNSKEY is used as a trust
anchor, see attached unbound.conf.


Isn't that a violation of 5011 section 2.1?

"Once the resolver sees the REVOKE bit, it MUST NOT use this key as a
trust anchor or for any other purpose"




Stephan Lagerholm

Senior DNS Architect, M.Sc. ,CISSP

Secure64 Software Corporation,

Cell: 469-834-3940


-------------- next part --------------
An HTML attachment was scrubbed...
URL: <>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: unbound.conf
Type: application/octet-stream
Size: 335 bytes
Desc: unbound.conf
URL: <>