[Pdns-users] Multiple DS Records
Pieter Lexis
pieter+powerdns at plexis.eu
Tue Nov 11 13:26:52 UTC 2025
Hi Rob,
On Tue, 2025-11-11 at 13:30 +0100, rob777 via Pdns-users wrote:
> If i have two DS Records for a domain at my registrar (let's assume
> same algo) and one DS record is correct (Fully Validated Chain) and
> the other is broken - will all recursors which validating DNSSEC work
> all the time while querying my domain or will it work randomly/half
> of the time (because one of the two DS Records is broken)...?
A proper security-aware resolver would validate the records properly.
As that is the only way to do a key rollover. This requirement for
having at least one valid path to a trust-anchor is laid out in RFC
4035, section 5.3.1[1].
Cheers,
Pieter
1 - https://www.rfc-editor.org/rfc/rfc4035#section-5.3.1
More information about the Pdns-users
mailing list