They are just malformed. No key material is not permitted with DNSKEY. it’s one of the differences to KEY.
-- Mark Andrews > On 7 Oct 2020, at 04:40, Viktor Dukhovni <[email protected]> wrote: > > After an algorithm rollover (RSA 8 -> ECDSA P256 13) a couple of days > backs, two domains now have new zero-length RSA 8 KSKs, along with > working new ECDSA KSKs: > > https://stats.dnssec-tools.org/explore/?nlagriculture.nl > https://stats.dnssec-tools.org/explore/?nlenergyandclimatechange.nl > > It isn't only the RSA modulus that is empty, but rather the entire > DNSKEY key value (exponent length, exponent, modulus): > > nlagriculture.nl. IN DNSKEY 257 3 8 ; NoError > nlagriculture.nl. IN DNSKEY 257 3 13 vRMOgGXuo/Ra...Yj7dpYrzWOg== ; NoError > nlagriculture.nl. IN DNSKEY 256 3 8 AwEAAfc58Rv7...6fPPDdZJ/tfj ; NoError > nlagriculture.nl. IN DNSKEY 256 3 8 AwEAAeBjJKDZ...pOKqfoFAnmx1 ; NoError > > nlenergyandclimatechange.nl. IN DNSKEY 257 3 8 ; NoError > nlenergyandclimatechange.nl. IN DNSKEY 257 3 13 > SURx8TOW5B07...liYpu7BmE0w== ; NoError > nlenergyandclimatechange.nl. IN DNSKEY 256 3 8 > AwEAAb2AbhJT...ppErUsfvCMGtv ; NoError > nlenergyandclimatechange.nl. IN DNSKEY 256 3 8 > AwEAAaeQDrF0...u3IdA2xzSiqZF ; NoError > > Unbound validates the DNSKEY RRset just fine, but these give DNSViz some > indigestion: > > https://dnsviz.net/d/nlagriculture.nl/X3yhPg/dnssec/ > https://dnsviz.net/d/nlenergyandclimatechange.nl/X3yhXg/dnssec/ > > the graphs fail to display. I wonder whether any other tools > (especially resolvers) have difficulties with these... > > -- > Viktor. > _______________________________________________ > dns-operations mailing list > [email protected] > https://lists.dns-oarc.net/mailman/listinfo/dns-operations _______________________________________________ dns-operations mailing list [email protected] https://lists.dns-oarc.net/mailman/listinfo/dns-operations
