> On 27 Mar 2020, at 16:44, Stephane Bortzmeyer <[email protected]> wrote: > > Some resolvers protest on .in. It seems they have a RSASHA256 key but > no RSASHA256 signatures, thus violating RFC 4035, section 2.2 "There > MUST be an RRSIG for each RRset using at least one DNSKEY of EACH > ALGORITHM”.
They not only have DNSKEYs but they also have DS records. in. 85995 IN DS 35373 7 2 A5F1FEB3C7C62843C287BF38E0CFA8D33A1DF8FE2B7FD871BFDCFF8E A0B354DA in. 85995 IN DS 54739 8 2 9F122CFD6604AE6DEDA0FE09F27BE340A318F06AFAC11714A73409D4 3136472C in. 85995 IN DS 54739 8 1 2B5CA455A0E65769FF9DF9E75EC40EE1EC1CDCA9 in. 85995 IN DS 35373 7 1 C8750CE0393237D97BE351C84326E45A20EFF25C This will break anyone which supports RSASHA256 (8) but has disabled NSEC3RSASHA1 (7). They should fully sign the zone with both algorithms or remove the DS records for RSASHA256 (8). Mark > (Cannot show a nice DNSviz picture, DNSviz seems broken at this time.) > > _______________________________________________ > dns-operations mailing list > [email protected] > https://lists.dns-oarc.net/mailman/listinfo/dns-operations -- Mark Andrews, ISC 1 Seymour St., Dundas Valley, NSW 2117, Australia PHONE: +61 2 9871 4742 INTERNET: [email protected] _______________________________________________ dns-operations mailing list [email protected] https://lists.dns-oarc.net/mailman/listinfo/dns-operations
