[dns-operations] TLD .law - non-signing KSK with referenced DS
Daniel Stirnimann
daniel.stirnimann at switch.ch
Thu Jan 20 06:44:49 UTC 2022
> PowerDNS Recursor used to ignore SHA-256 records in the face of
> SHA-384 records, but this was considered a bug and recently fixed. [3]
> I don't know if any other resolvers behave the same way. It would be
> prudent not to chance it.
We were recently made aware of a .ch domain which rolled the keys and
triggered this bug. Akamai CacheServe is also affected. The issue is
being fixed there as well. So I second your recommendation for the time
being.
Daniel
More information about the dns-operations
mailing list