[dns-operations] Algorithm but no signature in .in?
Vladimír Čunát
vladimir.cunat+ietf at nic.cz
Fri Mar 27 07:18:26 UTC 2020
Hello.
On 3/27/20 6:44 AM, Stephane Bortzmeyer wrote:
> Some resolvers protest on .in. It seems they have a RSASHA256 key but
> no RSASHA256 signatures, thus violating RFC 4035, section 2.2 "There
> MUST be an RRSIG for each RRset using at least one DNSKEY of EACH
> ALGORITHM".
Note that in this case the mistake is on *both* sides, so it's an
opportunity to also fix these validators. See
> This requirement applies to servers, not validators. Validators SHOULD
> accept any single valid path.
https://tools.ietf.org/html/rfc6840#section-5.11
> (Cannot show a nice DNSviz picture, DNSviz seems broken at this time.)
Seems to work for me at this moment, e.g.:
https://dnsviz.net/d/registry.in/XnzgYw/dnssec/
(Thanks for this restored feature again!)
--Vladimir
More information about the dns-operations
mailing list