[dns-operations] DNSSEC issue - why?

Kevin Chen kchen at mit.edu
Tue Jun 9 07:12:53 UTC 2015


On 6/9/15 2:47 AM, Gilles Massen wrote:
> In short: bind and unbound fail to validate, Google, dnsviz (
> http://dnsviz.net/d/hollington.ca/dnssec/ ) or dnssec-debugger (
> http://dnssec-analyzer.verisignlabs.com/hollington.ca ) are fine.
>
> More detailed: delv complains with
> ;; validating hollington.ca/DNSKEY: no DNSKEY matching DS
> ;; validating hollington.ca/DNSKEY: no valid signature found (DS)
>
> which looks quite simple, however the KSK DNSKEY from hollington.ca is
> part of the DS set. The only notable part of the DS set is that it
> contains 4 keys, among which is an older (?) with a longer hash.

RFC 4509 says:

    Implementations MUST support the use of the SHA-256 algorithm in DS
    RRs.  Validator implementations SHOULD ignore DS RRs containing SHA-1
    digests if DS RRs with SHA-256 digests are present in the DS RRset.

I assume the various resolvers are making different choices with regard 
to SHOULD.

--
Kevin Chen




More information about the dns-operations mailing list