On Fri, Mar 27, 2020 at 06:37:46PM +1100, Mark Andrews wrote:
> BIND will *correctly* fail if NSEC3RSASHA1 is disabled in named.conf as
> it also supports RSASHA256. India just stuffed up the key management.
Is the TLD managed by Neustar? But perhaps not the master copy of the
zone? In any
> On 27 Mar 2020, at 18:18, Vladimír Čunát wrote:
>
> Hello.
>
> On 3/27/20 6:44 AM, Stephane Bortzmeyer wrote:
>> Some resolvers protest on .in. It seems they have a RSASHA256 key but
>> no RSASHA256 signatures, thus violating RFC 4035, section 2.2 "There
>> MUST be an RRSIG for each RRset
Hello.
On 3/27/20 6:44 AM, Stephane Bortzmeyer wrote:
> Some resolvers protest on .in. It seems they have a RSASHA256 key but
> no RSASHA256 signatures, thus violating RFC 4035, section 2.2 "There
> MUST be an RRSIG for each RRset using at least one DNSKEY of EACH
> ALGORITHM".
Note that in this
> On 27 Mar 2020, at 16:44, Stephane Bortzmeyer wrote:
>
> Some resolvers protest on .in. It seems they have a RSASHA256 key but
> no RSASHA256 signatures, thus violating RFC 4035, section 2.2 "There
> MUST be an RRSIG for each RRset using at least one DNSKEY of EACH
> ALGORITHM”.
They not
Some resolvers protest on .in. It seems they have a RSASHA256 key but
no RSASHA256 signatures, thus violating RFC 4035, section 2.2 "There
MUST be an RRSIG for each RRset using at least one DNSKEY of EACH
ALGORITHM".
(Cannot show a nice DNSviz picture, DNSviz seems broken at this time.)