[dns-operations] [DNSSEC] How mandatory is "mandatory algorithm"?
Stephane Bortzmeyer
bortzmeyer at nic.fr
Tue Sep 14 08:22:07 UTC 2010
Several of the online DNSSEC checking tools complain when a zone is
not signed with the mandatory algorithm RSA/SHA1 (which is the case of
.CAT, .PM and the root - although this one is difficult to test with
many tools which choke on ".").
For instance, two good tools, <http://dnscheck.iis.se> or
<http://dnscheck.pingdom.com/> complain on that. Other tools have no
problem.
Which is right? Is RSA/SHA1 simply "mandatory to implement" (which is
my reading of the RFCs) or actually "mandatory to use" in every signed
zone?
RFC 4034, appendix A, and
<http://www.iana.org/assignments/dns-sec-alg-numbers/dns-sec-alg-numbers.xhtml>
(which does not indicate if the algorithm is mandatory or not).
More information about the dns-operations
mailing list