[dns-operations] Algorithm but no signature in .in?

Vladimír Čunát vladimir.cunat+ietf at nic.cz
Fri Mar 27 07:18:26 UTC 2020


On 3/27/20 6:44 AM, Stephane Bortzmeyer wrote:
> Some resolvers protest on .in. It seems they have a RSASHA256 key but
> no RSASHA256 signatures, thus violating RFC 4035, section 2.2 "There
> MUST be an RRSIG for each RRset using at least one DNSKEY of EACH

Note that in this case the mistake is on *both* sides, so it's an
opportunity to also fix these validators.  See

> This requirement applies to servers, not validators. Validators SHOULD
> accept any single valid path.


> (Cannot show a nice DNSviz picture, DNSviz seems broken at this time.)

Seems to work for me at this moment, e.g.:
(Thanks for this restored feature again!)


More information about the dns-operations mailing list