Maintained by: NLnet Labs

Unable to resolv 1 domain

W.C.A. Wijngaards
Mon Apr 10 15:10:30 CEST 2017

Hi Ondrej,

On 10/04/17 14:57, Ondřej Surý wrote:
> I see - the 31653 DS is only algo 1, but the other one is 1,2, but
> But RFC 4509 says:
> 3.  Implementation Requirements
>    Implementations MUST support the use of the SHA-256 algorithm in DS
>    RRs.  Validator implementations SHOULD ignore DS RRs containing SHA-1
>    digests if DS RRs with SHA-256 digests are present in the DS RRset.
> So perhaps Unbound is too strict here?  There are no known usable
> attacks on SHA-1 for use in DNSSEC, so I don't think it's necessary to
> ignore it right _now_.

But unbound clearly implements the SHOULD and thus should be
interoperable?  That is what the 'SHOULD' is there for, right?
So, I am doing this because I think it is the standard.  And I think so
should you.

I didn't do this out of strictness, but out of trying to implement
exactly what the standard said.

Best regards, Wouter

> O.

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 819 bytes
Desc: OpenPGP digital signature
URL: <>