[dns-operations] Strange behavior of google public resolver
Bryan Hughes
bhughes at tiggee.com
Thu Apr 18 13:45:08 UTC 2019
Taras -
What's going on with your KSK's in this domain? KeyID 35973 using algo 10
is invalid (http://dnsviz.net/d/rv.ua/dnssec/), KeyID 613 using a very old
algo 3 is valid. For what it's worth, Google DNS SERVFAILs for me when I
break the KSK on a test domain. Perhaps they are at times validating on
KeyID 613 (and subsequent NOERROR response) and the rest of the time
failing to validate KeyID 35973?
On Thu, Apr 18, 2019 at 7:22 AM Taras Heichenko <tasic at hostmaster.ua> wrote:
>
>
> > On Apr 18, 2019, at 13:07, Jim Reid <jim at rfc1035.com> wrote:
> >
> >
> >
> >> On 18 Apr 2019, at 10:46, Stephane Bortzmeyer <bortzmeyer at nic.fr>
> wrote:
> >>
> >> Of course, it would be better to move away from DSA, but it shouldn't
> >> make a SERVFAIL, just a lack of validation
> >
> > ? If DSA signatures can't be validated, SERVFAIL is the correct response.
>
> Then why does google resolver sometimes give the answer with NSes?
> Sometimes it can validate DSA signature and sometimes not?
>
> >
> > _______________________________________________
> > dns-operations mailing list
> > dns-operations at lists.dns-oarc.net
> > https://lists.dns-oarc.net/mailman/listinfo/dns-operations
> > dns-operations mailing list
> > https://lists.dns-oarc.net/mailman/listinfo/dns-operations
>
> --
> Best regards
>
> Taras Heichenko
> tasic at hostmaster.ua
>
>
>
>
>
>
> _______________________________________________
> dns-operations mailing list
> dns-operations at lists.dns-oarc.net
> https://lists.dns-oarc.net/mailman/listinfo/dns-operations
> dns-operations mailing list
> https://lists.dns-oarc.net/mailman/listinfo/dns-operations
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.dns-oarc.net/pipermail/dns-operations/attachments/20190418/484d6f7d/attachment.html>
More information about the dns-operations
mailing list