[dns-operations] [DNSSEC] How mandatory is "mandatory algorithm"?

George Barwood george.barwood at blueyonder.co.uk
Tue Sep 14 08:54:06 UTC 2010

----- Original Message ----- 
From: "Stephane Bortzmeyer" <bortzmeyer at nic.fr>
To: <dns-operations at mail.dns-oarc.net>
Sent: Tuesday, September 14, 2010 9:22 AM
Subject: [dns-operations] [DNSSEC] How mandatory is "mandatory algorithm"?

> Several of the online DNSSEC checking tools complain when a zone is
> not signed with the mandatory algorithm RSA/SHA1 (which is the case of
> .CAT, .PM and the root - although this one is difficult to test with
> many tools which choke on ".").
> For instance, two good tools, <http://dnscheck.iis.se> or
> <http://dnscheck.pingdom.com/> complain on that. Other tools have no
> problem.
> Which is right? Is RSA/SHA1 simply "mandatory to implement" (which is
> my reading of the RFCs) or actually "mandatory to use" in every signed
> zone?

It is "mandatory to implement" not "mandatory to use".

RFC 4034, Appendix A states

   A DNSSEC aware resolver or name server MUST implement all MANDATORY

The other reading would mean that zones signed with say RSA/SHA256 must
be signed also with RSA/SHA1, which would be ridiculous.

- George

> RFC 4034, appendix A, and
> <http://www.iana.org/assignments/dns-sec-alg-numbers/dns-sec-alg-numbers.xhtml>
> (which does not indicate if the algorithm is mandatory or not).
> _______________________________________________
> dns-operations mailing list
> dns-operations at lists.dns-oarc.net
> https://lists.dns-oarc.net/mailman/listinfo/dns-operations

More information about the dns-operations mailing list