[dns-operations] Strange behavior of google public resolver
bortzmeyer at nic.fr
Thu Apr 18 10:15:54 UTC 2019
On Thu, Apr 18, 2019 at 11:07:14AM +0100,
Jim Reid <jim at rfc1035.com> wrote
a message of 8 lines which said:
> > Of course, it would be better to move away from DSA, but it shouldn't
> > make a SERVFAIL, just a lack of validation
> ? If DSA signatures can't be validated, SERVFAIL is the correct response.
No. They can be validated (my Unbound can do it). At worse, the
algorithm can be unknown for the resolver, and then ignored (reply
without AD, the most common for this domain).
More information about the dns-operations