[dns-operations] Algorithm but no signature in .in?

Vladimír Čunát vladimir.cunat+ietf at nic.cz
Fri Mar 27 07:18:26 UTC 2020


Hello.

On 3/27/20 6:44 AM, Stephane Bortzmeyer wrote:
> Some resolvers protest on .in. It seems they have a RSASHA256 key but
> no RSASHA256 signatures, thus violating RFC 4035, section 2.2 "There
> MUST be an RRSIG for each RRset using at least one DNSKEY of EACH
> ALGORITHM".

Note that in this case the mistake is on *both* sides, so it's an
opportunity to also fix these validators.  See

> This requirement applies to servers, not validators. Validators SHOULD
> accept any single valid path.

https://tools.ietf.org/html/rfc6840#section-5.11
 

> (Cannot show a nice DNSviz picture, DNSviz seems broken at this time.)

Seems to work for me at this moment, e.g.:
https://dnsviz.net/d/registry.in/XnzgYw/dnssec/
(Thanks for this restored feature again!)

--Vladimir




More information about the dns-operations mailing list