Hello. On 3/27/20 6:44 AM, Stephane Bortzmeyer wrote: > Some resolvers protest on .in. It seems they have a RSASHA256 key but > no RSASHA256 signatures, thus violating RFC 4035, section 2.2 "There > MUST be an RRSIG for each RRset using at least one DNSKEY of EACH > ALGORITHM".
Note that in this case the mistake is on *both* sides, so it's an opportunity to also fix these validators. See > This requirement applies to servers, not validators. Validators SHOULD > accept any single valid path. https://tools.ietf.org/html/rfc6840#section-5.11 > (Cannot show a nice DNSviz picture, DNSviz seems broken at this time.) Seems to work for me at this moment, e.g.: https://dnsviz.net/d/registry.in/XnzgYw/dnssec/ (Thanks for this restored feature again!) --Vladimir _______________________________________________ dns-operations mailing list dns-operations@lists.dns-oarc.net https://lists.dns-oarc.net/mailman/listinfo/dns-operations
