[dns-operations] DNSSEC issue - why?
Kevin Chen
kchen at mit.edu
Tue Jun 9 07:12:53 UTC 2015
On 6/9/15 2:47 AM, Gilles Massen wrote:
> In short: bind and unbound fail to validate, Google, dnsviz (
> http://dnsviz.net/d/hollington.ca/dnssec/ ) or dnssec-debugger (
> http://dnssec-analyzer.verisignlabs.com/hollington.ca ) are fine.
>
> More detailed: delv complains with
> ;; validating hollington.ca/DNSKEY: no DNSKEY matching DS
> ;; validating hollington.ca/DNSKEY: no valid signature found (DS)
>
> which looks quite simple, however the KSK DNSKEY from hollington.ca is
> part of the DS set. The only notable part of the DS set is that it
> contains 4 keys, among which is an older (?) with a longer hash.
RFC 4509 says:
Implementations MUST support the use of the SHA-256 algorithm in DS
RRs. Validator implementations SHOULD ignore DS RRs containing SHA-1
digests if DS RRs with SHA-256 digests are present in the DS RRset.
I assume the various resolvers are making different choices with regard
to SHOULD.
--
Kevin Chen
More information about the dns-operations
mailing list