* Viktor Dukhovni via Postfix-users <[email protected]>: > On Fri, Jun 19, 2026 at 09:11:10AM +0200, Patrick Ben Koetter via > Postfix-users wrote: > > > > The only technical anomaly is not known to be a problem in reality, the > > > sys4.de DNSKEY RRset includes a spurious ECDSA P256(13) ZSK, with no > > > associated RRSIGs. Since there's no ECDSA P256 DS record, no known > > > validator will ignore the RSA RRSIGs and require ECDSA, but that > > > ZSK should be dropped. > > > > Maybe an anomaly now, but maybe / hopefully something you will get to see > > more > > often in the future. > > Sure, and as noted, this is fine in practice, but in theory it violates > the most conservative of the algorithm rollover process models. > > In that model, when adding an algorithm, the RRSIGs appear first, then a > few TTLs later, the associated zone apex DNSKEY, and then finally the > associated parent DS RR. And when removing an algorithm, the DS goes > first, then a few TTLs later, the apex DNSKEYs, and the RRSIGs go last. > > In practice, no widely used resolvers are known to have any issues with > the "missing" RRSIGs for algorithms not listed in the DS RRset, and > the flagging of the issue by DNSViz is a technicality. I just wanted > to note this, in case anyone looking at the DNSViz links is put off > by the associated hazard signs.
Thoughtful and prescient as always. Thank you for your notes on DNSViz and the hazard signs. > I expect Carsten decided that just publishing the future new KSK is > not a problem, despite the technicality. I guess that's what he did. I do SMTP. Carsten does DNS. His word on DNS is my command. ;) p@rick -- [*] sys4 AG https://sys4.de, +49 (89) 30 90 46 64 Schleißheimer Straße 26/MG,80333 München Sitz der Gesellschaft: München, Amtsgericht München: HRB 199263 Vorstand: Patrick Ben Koetter, Marc Schiffbauer Aufsichtsratsvorsitzender: Florian Kirstein _______________________________________________ Postfix-users mailing list -- [email protected] To unsubscribe send an email to [email protected]
