[dns-operations] Strange behavior of google public resolver

Thu Apr 18 10:15:54 UTC 2019

On Thu, Apr 18, 2019 at 11:07:14AM +0100,
 Jim Reid <jim at rfc1035.com> wrote 
 a message of 8 lines which said:

> > Of course, it would be better to move away from DSA, but it shouldn't
> > make a SERVFAIL, just a lack of validation
> 
> ? If DSA signatures can't be validated, SERVFAIL is the correct response.

No. They can be validated (my Unbound can do it). At worse, the
algorithm can be unknown for the resolver, and then ignored (reply
without AD, the most common for this domain).