[dns-operations] Algorithm but no signature in .in?

Mark Andrews marka at isc.org
Fri Mar 27 10:25:35 UTC 2020



> On 27 Mar 2020, at 18:52, Viktor Dukhovni <ietf-dane at dukhovni.org> wrote:
> 
> On Fri, Mar 27, 2020 at 06:37:46PM +1100, Mark Andrews wrote:
> 
>> BIND will *correctly* fail if NSEC3RSASHA1 is disabled in named.conf as
>> it also supports RSASHA256.  India just stuffed up the key management.
> 
> Is the TLD managed by Neustar?  But perhaps not the master copy of the
> zone?  In any case, perhaps it is already fixed?  The latest SOA is
> signed with both algorithms:
> 
>    ; NoError AD=1
>    in. IN SOA ns1.neustar.in. hostmaster at neustar.in. 1585295284 1800 300 1814400 1800
>    in. IN RRSIG SOA 7 1 900 20200426074806 20200327064806 9182 in. <...>
>    in. IN RRSIG SOA 8 1 900 20200426074806 20200327064806 65169 in. <…>

And the DNSKEY rrset is now signed with both. 

in.			893	IN	RRSIG	DNSKEY 8 1 900 20200426081551 20200327071551 65169 in. oRFK0VjYAI6Bt5LvJhj78iApYHugSWu/Z1fcULRulIf4eDoOefqPnOnH seanEBlb0wzR+rQGZa1zlVM5dBtChiaqAB+s7CumqvxyVoD4fP50F/+Z Qb3fWs4F9mouG1KC/zvKnRuk/6U562SP1DItwmEJK2hcDyvFlXZZ2xt/ krY3W6ieEb44YwAvGcdvZy2hd/TgsRqPeWy/Ox2nSVML6g

20200327071551 indicates that it was just signed (now Fri 27 Mar 2020 10:16:30 UTC).  When I checked at 06:58:00
it was not signed.

Mark

> -- 
>    Viktor.
> _______________________________________________
> dns-operations mailing list
> dns-operations at lists.dns-oarc.net
> https://lists.dns-oarc.net/mailman/listinfo/dns-operations

-- 
Mark Andrews, ISC
1 Seymour St., Dundas Valley, NSW 2117, Australia
PHONE: +61 2 9871 4742              INTERNET: marka at isc.org





More information about the dns-operations mailing list