On 6/9/15 2:47 AM, Gilles Massen wrote:
In short: bind and unbound fail to validate, Google, dnsviz (
http://dnsviz.net/d/hollington.ca/dnssec/ ) or dnssec-debugger (
http://dnssec-analyzer.verisignlabs.com/hollington.ca ) are fine.
More detailed: delv complains with
;; validating hollington.ca/DNSKEY: no DNSKEY matching DS
;; validating hollington.ca/DNSKEY: no valid signature found (DS)
which looks quite simple, however the KSK DNSKEY from hollington.ca is
part of the DS set. The only notable part of the DS set is that it
contains 4 keys, among which is an older (?) with a longer hash.
RFC 4509 says:
Implementations MUST support the use of the SHA-256 algorithm in DS
RRs. Validator implementations SHOULD ignore DS RRs containing SHA-1
digests if DS RRs with SHA-256 digests are present in the DS RRset.
I assume the various resolvers are making different choices with regard
to SHOULD.
--
Kevin Chen
_______________________________________________
dns-operations mailing list
[email protected]
https://lists.dns-oarc.net/mailman/listinfo/dns-operations
dns-jobs mailing list
https://lists.dns-oarc.net/mailman/listinfo/dns-jobs
