On Fri, Jun 19, 2026 at 09:11:10AM +0200, Patrick Ben Koetter via Postfix-users
wrote:
> > The only technical anomaly is not known to be a problem in reality, the
> > sys4.de DNSKEY RRset includes a spurious ECDSA P256(13) ZSK, with no
> > associated RRSIGs. Since there's no ECDSA P256 DS record, no known
> > validator will ignore the RSA RRSIGs and require ECDSA, but that
> > ZSK should be dropped.
>
> Maybe an anomaly now, but maybe / hopefully something you will get to see more
> often in the future.
Sure, and as noted, this is fine in practice, but in theory it violates
the most conservative of the algorithm rollover process models.
In that model, when adding an algorithm, the RRSIGs appear first, then a
few TTLs later, the associated zone apex DNSKEY, and then finally the
associated parent DS RR. And when removing an algorithm, the DS goes
first, then a few TTLs later, the apex DNSKEYs, and the RRSIGs go last.
In practice, no widely used resolvers are known to have any issues with
the "missing" RRSIGs for algorithms not listed in the DS RRset, and
the flagging of the issue by DNSViz is a technicality. I just wanted
to note this, in case anyone looking at the DNSViz links is put off
by the associated hazard signs.
I expect Carsten decided that just publishing the future new KSK is
not a problem, despite the technicality.
--
Viktor. 🇺🇦 Слава Україні!
_______________________________________________
Postfix-users mailing list -- [email protected]
To unsubscribe send an email to [email protected]
