[dns-operations] Algorithm but no signature in .in?

Mark Andrews marka at isc.org
Fri Mar 27 06:47:48 UTC 2020


> On 27 Mar 2020, at 16:44, Stephane Bortzmeyer <bortzmeyer at nic.fr> wrote:
> 
> Some resolvers protest on .in. It seems they have a RSASHA256 key but
> no RSASHA256 signatures, thus violating RFC 4035, section 2.2 "There
> MUST be an RRSIG for each RRset using at least one DNSKEY of EACH
> ALGORITHM”.

They not only have DNSKEYs but they also have DS records.

in.			85995	IN	DS	35373 7 2 A5F1FEB3C7C62843C287BF38E0CFA8D33A1DF8FE2B7FD871BFDCFF8E A0B354DA
in.			85995	IN	DS	54739 8 2 9F122CFD6604AE6DEDA0FE09F27BE340A318F06AFAC11714A73409D4 3136472C
in.			85995	IN	DS	54739 8 1 2B5CA455A0E65769FF9DF9E75EC40EE1EC1CDCA9
in.			85995	IN	DS	35373 7 1 C8750CE0393237D97BE351C84326E45A20EFF25C

This will break anyone which supports RSASHA256 (8) but has disabled
NSEC3RSASHA1 (7). They should fully sign the zone with both algorithms or
remove the DS records for RSASHA256 (8).

Mark


> (Cannot show a nice DNSviz picture, DNSviz seems broken at this time.)
> 
> _______________________________________________
> dns-operations mailing list
> dns-operations at lists.dns-oarc.net
> https://lists.dns-oarc.net/mailman/listinfo/dns-operations

-- 
Mark Andrews, ISC
1 Seymour St., Dundas Valley, NSW 2117, Australia
PHONE: +61 2 9871 4742              INTERNET: marka at isc.org




More information about the dns-operations mailing list