On Wed, Mar 21, 2012 at 7:53 PM, Olafur Gudmundsson <[email protected]> wrote: > The first thing that jumps out is the domain is using 2 different DNSKEY > algorithms this increases possiblity of mistakes. > ALG 7 is in the record in parent with corresponding DNSKEY record signing > the DNSKEY, but the key for algorithm 7 that signs the www.ca.gov A RRset is > not in the DNSKEY RRset.
Indeed, what I didn't realize was that the site http://dnsviz.net/d/www.ca.gov/dnssec/ was working on old data, when I re-ran the report it reported like you said that they had signed their RRset with a new un-published key. It appears they have fixed their zone now, thanks for your help in making sense of what happened. -- Augie Schwer - [email protected] - http://schwer.us _______________________________________________ Unbound-users mailing list [email protected] http://unbound.nlnetlabs.nl/mailman/listinfo/unbound-users
