Looks to me like there is a serious problem here. NSEC record specifies what is signed but not the algorithm used to sign. DNSSEC allows multiple signature and digest algorithms on the same zone. If a zone does this, validators are prohibited from rejecting records only signed using one of the algorithms rather than both.
Won’t go into extreme detail here as researcher’s slides will be available tomorrow. This definitely needs fixing. One near term fix is to make SHA-1 a MUST NOT. It is long past its sell-by date now. Get Outlook for iOS<https://aka.ms/o0ukef>
_______________________________________________ dns-operations mailing list dns-operations@lists.dns-oarc.net https://lists.dns-oarc.net/mailman/listinfo/dns-operations