> On 27 Mar 2020, at 18:52, Viktor Dukhovni <[email protected]> wrote: > > On Fri, Mar 27, 2020 at 06:37:46PM +1100, Mark Andrews wrote: > >> BIND will *correctly* fail if NSEC3RSASHA1 is disabled in named.conf as >> it also supports RSASHA256. India just stuffed up the key management. > > Is the TLD managed by Neustar? But perhaps not the master copy of the > zone? In any case, perhaps it is already fixed? The latest SOA is > signed with both algorithms: > > ; NoError AD=1 > in. IN SOA ns1.neustar.in. [email protected]. 1585295284 1800 300 > 1814400 1800 > in. IN RRSIG SOA 7 1 900 20200426074806 20200327064806 9182 in. <...> > in. IN RRSIG SOA 8 1 900 20200426074806 20200327064806 65169 in. <…>
And the DNSKEY rrset is now signed with both. in. 893 IN RRSIG DNSKEY 8 1 900 20200426081551 20200327071551 65169 in. oRFK0VjYAI6Bt5LvJhj78iApYHugSWu/Z1fcULRulIf4eDoOefqPnOnH seanEBlb0wzR+rQGZa1zlVM5dBtChiaqAB+s7CumqvxyVoD4fP50F/+Z Qb3fWs4F9mouG1KC/zvKnRuk/6U562SP1DItwmEJK2hcDyvFlXZZ2xt/ krY3W6ieEb44YwAvGcdvZy2hd/TgsRqPeWy/Ox2nSVML6g 20200327071551 indicates that it was just signed (now Fri 27 Mar 2020 10:16:30 UTC). When I checked at 06:58:00 it was not signed. Mark > -- > Viktor. > _______________________________________________ > dns-operations mailing list > [email protected] > https://lists.dns-oarc.net/mailman/listinfo/dns-operations -- Mark Andrews, ISC 1 Seymour St., Dundas Valley, NSW 2117, Australia PHONE: +61 2 9871 4742 INTERNET: [email protected] _______________________________________________ dns-operations mailing list [email protected] https://lists.dns-oarc.net/mailman/listinfo/dns-operations
