[dns-operations] Algorithm but no signature in .in?

Viktor Dukhovni ietf-dane at dukhovni.org
Fri Mar 27 07:52:45 UTC 2020


On Fri, Mar 27, 2020 at 06:37:46PM +1100, Mark Andrews wrote:

> BIND will *correctly* fail if NSEC3RSASHA1 is disabled in named.conf as
> it also supports RSASHA256.  India just stuffed up the key management.

Is the TLD managed by Neustar?  But perhaps not the master copy of the
zone?  In any case, perhaps it is already fixed?  The latest SOA is
signed with both algorithms:

    ; NoError AD=1
    in. IN SOA ns1.neustar.in. hostmaster at neustar.in. 1585295284 1800 300 1814400 1800
    in. IN RRSIG SOA 7 1 900 20200426074806 20200327064806 9182 in. <...>
    in. IN RRSIG SOA 8 1 900 20200426074806 20200327064806 65169 in. <...>

-- 
    Viktor.



More information about the dns-operations mailing list