[dns-operations] Algorithm but no signature in .in?
vladimir.cunat+ietf at nic.cz
Fri Mar 27 07:18:26 UTC 2020
On 3/27/20 6:44 AM, Stephane Bortzmeyer wrote:
> Some resolvers protest on .in. It seems they have a RSASHA256 key but
> no RSASHA256 signatures, thus violating RFC 4035, section 2.2 "There
> MUST be an RRSIG for each RRset using at least one DNSKEY of EACH
Note that in this case the mistake is on *both* sides, so it's an
opportunity to also fix these validators. See
> This requirement applies to servers, not validators. Validators SHOULD
> accept any single valid path.
> (Cannot show a nice DNSviz picture, DNSviz seems broken at this time.)
Seems to work for me at this moment, e.g.:
(Thanks for this restored feature again!)
More information about the dns-operations