Vários registros do DS

A maioria das operadoras esperaria que o registro órfão DS fosse ignorado. Múltiplos DS RRs, um ou mais dos quais podem não estar alinhados com o DNSKEY RRset correspondente, podem ser encontrados e isso é bem documentado.

link

2.4.  Including DS RRs in a Zone

   The DS resource record establishes authentication chains between DNS
   zones.  A DS RRset SHOULD be present at a delegation point when the
   child zone is signed.  The DS RRset MAY contain multiple records,
   each referencing a public key in the child zone used to verify the
   RRSIGs in that zone.  All DS RRsets in a zone MUST be signed, and DS
   RRsets MUST NOT appear at a zone's apex.

   A DS RR SHOULD point to a DNSKEY RR that is present in the child's
   apex DNSKEY RRset, and the child's apex DNSKEY RRset SHOULD be signed
   by the corresponding private key.  DS RRs that fail to meet these
   conditions are not useful for validation, but because the DS RR and
   its corresponding DNSKEY RR are in different zones, and because the
   DNS is only loosely consistent, temporary mismatches can occur.

Isso estabelece que vários DS RRs são permitidos e que cada um desses RRs SHOULD seja assinado por um DNSKEY RR correspondente. Embora o comportamento exato ao encontrar um órfão DS RR não seja explicitado, é estabelecido que as incompatibilidades podem acontecer e acontecem, e são esperadas.

Finalmente, pode-se colher a partir do reconhecimento de que as expectativas em contrário são falaciosas. Como tal, certamente poder-se-ia escrever uma implementação de validador que descartasse a zona como falsa, mas não seria muito útil fazê-lo. No final do dia, os principais fatores a serem considerados são se uma zona está ou não assinada e se existe um caminho criptográfico válido entre o DNS is only loosely consistent RRset e os RRs assinados.

link

5.11.  Mandatory Algorithm Rules

   The last paragraph of Section 2.2 of [RFC4035] includes rules
   describing which algorithms must be used to sign a zone.  Since these
   rules have been confusing, they are restated using different language
   here:

      The DS RRset and DNSKEY RRset are used to signal which algorithms
      are used to sign a zone.  The presence of an algorithm in either a
      zone's DS or DNSKEY RRset signals that that algorithm is used to
      sign the entire zone.

      A signed zone MUST include a DNSKEY for each algorithm present in
      the zone's DS RRset and expected trust anchors for the zone.  The
      zone MUST also be signed with each algorithm (though not each key)
      present in the DNSKEY RRset.  It is possible to add algorithms at
      the DNSKEY that aren't in the DS record, but not vice versa.  If
      more than one key of the same algorithm is in the DNSKEY RRset, it
      is sufficient to sign each RRset with any subset of these DNSKEYs.
      It is acceptable to sign some RRsets with one subset of keys (or
      key) and other RRsets with a different subset, so long as at least
      one DNSKEY of each algorithm is used to sign each RRset.
      Likewise, if there are DS records for multiple keys of the same
      algorithm, any subset of those may appear in the DNSKEY RRset.

   This requirement applies to servers, not validators.  Validators
   SHOULD accept any single valid path.  They SHOULD NOT insist that all
   algorithms signaled in the DS RRset work, and they MUST NOT insist
   that all algorithms signaled in the DNSKEY RRset work.  A validator
   MAY have a configuration option to perform a signature completeness
   test to support troubleshooting.

A imagem geral fica mais clara aqui; Os validadores não devem estar no negócio de policiar todas as permutações possíveis de DS e DS . O detalhe mais importante é se existe ou não um caminho válido.