> On 27 Mar 2020, at 18:18, Vladimír Čunát <[email protected]> wrote: > > Hello. > > On 3/27/20 6:44 AM, Stephane Bortzmeyer wrote: >> Some resolvers protest on .in. It seems they have a RSASHA256 key but >> no RSASHA256 signatures, thus violating RFC 4035, section 2.2 "There >> MUST be an RRSIG for each RRset using at least one DNSKEY of EACH >> ALGORITHM”. > > Note that in this case the mistake is on *both* sides, so it's an > opportunity to also fix these validators. See >> This requirement applies to servers, not validators. Validators SHOULD >> accept any single valid path. > > https://tools.ietf.org/html/rfc6840#section-5.11
I see no evidence of validator failures here. I know that when people complain that the zone should have been fully signed it is often really a overly strict validator but this isn’t the case here. BIND will *correctly* fail if NSEC3RSASHA1 is disabled in named.conf as it also supports RSASHA256. India just stuffed up the key management. [beetle:~/git/bind9] marka% dig ds in. @a.root-servers.net ; <<>> DiG 9.15.4+hotspot+add-prefetch+marka <<>> ds in. @a.root-servers.net ;; global options: +cmd ;; Got answer: ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 9716 ;; flags: qr aa rd; QUERY: 1, ANSWER: 4, AUTHORITY: 0, ADDITIONAL: 1 ;; WARNING: recursion requested but not available ;; OPT PSEUDOSECTION: ; EDNS: version: 0, flags:; udp: 4096 ;; QUESTION SECTION: ;in. IN DS ;; ANSWER SECTION: in. 86400 IN DS 35373 7 2 A5F1FEB3C7C62843C287BF38E0CFA8D33A1DF8FE2B7FD871BFDCFF8E A0B354DA in. 86400 IN DS 54739 8 2 9F122CFD6604AE6DEDA0FE09F27BE340A318F06AFAC11714A73409D4 3136472C in. 86400 IN DS 54739 8 1 2B5CA455A0E65769FF9DF9E75EC40EE1EC1CDCA9 in. 86400 IN DS 35373 7 1 C8750CE0393237D97BE351C84326E45A20EFF25C ;; Query time: 126 msec ;; SERVER: 198.41.0.4#53(198.41.0.4) ;; WHEN: Fri Mar 27 18:29:15 AEDT 2020 ;; MSG SIZE rcvd: 199 [beetle:~/git/bind9] marka% >> (Cannot show a nice DNSviz picture, DNSviz seems broken at this time.) > > Seems to work for me at this moment, e.g.: > https://dnsviz.net/d/registry.in/XnzgYw/dnssec/ > (Thanks for this restored feature again!) > > --Vladimir > > _______________________________________________ > dns-operations mailing list > [email protected] > https://lists.dns-oarc.net/mailman/listinfo/dns-operations -- Mark Andrews, ISC 1 Seymour St., Dundas Valley, NSW 2117, Australia PHONE: +61 2 9871 4742 INTERNET: [email protected] _______________________________________________ dns-operations mailing list [email protected] https://lists.dns-oarc.net/mailman/listinfo/dns-operations
