[dns-operations] [DNSSEC] How mandatory is "mandatory algorithm"?
bortzmeyer at nic.fr
Tue Sep 14 08:22:07 UTC 2010
Several of the online DNSSEC checking tools complain when a zone is
not signed with the mandatory algorithm RSA/SHA1 (which is the case of
.CAT, .PM and the root - although this one is difficult to test with
many tools which choke on ".").
For instance, two good tools, <http://dnscheck.iis.se> or
<http://dnscheck.pingdom.com/> complain on that. Other tools have no
Which is right? Is RSA/SHA1 simply "mandatory to implement" (which is
my reading of the RFCs) or actually "mandatory to use" in every signed
RFC 4034, appendix A, and
(which does not indicate if the algorithm is mandatory or not).
More information about the dns-operations