- Fix #986: Resolving sas.com with dnssec-validation fails though

signed delegations seem to be (mostly) correct.
2026-01-18 04:32:54 -05:00 · 2025-01-30 16:26:31 +01:00 · 2025-01-30 16:26:31 +01:00 · 01cea4d5be
commit 01cea4d5be
parent 35dbbcb2f5
2 changed files with 5 additions and 1 deletions
--- a/doc/Changelog
+++ b/doc/Changelog
@ -1,3 +1,7 @@
+30 January 2025: Wouter
+	- Fix #986: Resolving sas.com with dnssec-validation fails though
+	  signed delegations seem to be (mostly) correct.
+
 29 January 2025: Yorgos
 	- Make the default value of module-config "validator iterator"
 	  regardless of compilation options. --enable-subnet would implicitly
--- a/doc/unbound.conf.5.in
+++ b/doc/unbound.conf.5.in
@ -1111,7 +1111,7 @@ This works by first choosing only the strongest DS digest type as per RFC 4509
 (Unbound treats the highest algorithm as the strongest) and then
 expecting signatures from all the advertised signing algorithms from the chosen
 DS(es) to be present.
-If no, allows any algorithm to validate the zone.
+If no, allows any one supported algorithm to validate the zone, even if other advertised algorithms are broken.
 Default is no.
 RFC 6840 mandates that zone signers must produce zones signed with all
 advertised algorithms, but sometimes they do not.