[dns-operations] [DNSSEC] How mandatory is "mandatory algorithm"?

Stephane Bortzmeyer bortzmeyer at nic.fr
Tue Sep 14 08:22:07 UTC 2010

Several of the online DNSSEC checking tools complain when a zone is
not signed with the mandatory algorithm RSA/SHA1 (which is the case of
.CAT, .PM and the root - although this one is difficult to test with
many tools which choke on ".").

For instance, two good tools, <http://dnscheck.iis.se> or
<http://dnscheck.pingdom.com/> complain on that. Other tools have no

Which is right? Is RSA/SHA1 simply "mandatory to implement" (which is
my reading of the RFCs) or actually "mandatory to use" in every signed

RFC 4034, appendix A, and
(which does not indicate if the algorithm is mandatory or not).

More information about the dns-operations mailing list