[dns-operations] [DNSSEC] How mandatory is "mandatory algorithm"?
george.barwood at blueyonder.co.uk
Tue Sep 14 08:54:06 UTC 2010
----- Original Message -----
From: "Stephane Bortzmeyer" <bortzmeyer at nic.fr>
To: <dns-operations at mail.dns-oarc.net>
Sent: Tuesday, September 14, 2010 9:22 AM
Subject: [dns-operations] [DNSSEC] How mandatory is "mandatory algorithm"?
> Several of the online DNSSEC checking tools complain when a zone is
> not signed with the mandatory algorithm RSA/SHA1 (which is the case of
> .CAT, .PM and the root - although this one is difficult to test with
> many tools which choke on ".").
> For instance, two good tools, <http://dnscheck.iis.se> or
> <http://dnscheck.pingdom.com/> complain on that. Other tools have no
> Which is right? Is RSA/SHA1 simply "mandatory to implement" (which is
> my reading of the RFCs) or actually "mandatory to use" in every signed
It is "mandatory to implement" not "mandatory to use".
RFC 4034, Appendix A states
A DNSSEC aware resolver or name server MUST implement all MANDATORY
The other reading would mean that zones signed with say RSA/SHA256 must
be signed also with RSA/SHA1, which would be ridiculous.
> RFC 4034, appendix A, and
> (which does not indicate if the algorithm is mandatory or not).
> dns-operations mailing list
> dns-operations at lists.dns-oarc.net
More information about the dns-operations