After an algorithm rollover (RSA 8 -> ECDSA P256 13) a couple of days
backs, two domains now have new zero-length RSA 8 KSKs, along with
working new ECDSA KSKs:
https://stats.dnssec-tools.org/explore/?nlagriculture.nl
https://stats.dnssec-tools.org/explore/?nlenergyandclimatechange.nl
It isn't only the RSA modulus that is empty, but rather the entire
DNSKEY key value (exponent length, exponent, modulus):
nlagriculture.nl. IN DNSKEY 257 3 8 ; NoError
nlagriculture.nl. IN DNSKEY 257 3 13 vRMOgGXuo/Ra...Yj7dpYrzWOg== ; NoError
nlagriculture.nl. IN DNSKEY 256 3 8 AwEAAfc58Rv7...6fPPDdZJ/tfj ; NoError
nlagriculture.nl. IN DNSKEY 256 3 8 AwEAAeBjJKDZ...pOKqfoFAnmx1 ; NoError
nlenergyandclimatechange.nl. IN DNSKEY 257 3 8 ; NoError
nlenergyandclimatechange.nl. IN DNSKEY 257 3 13
SURx8TOW5B07...liYpu7BmE0w== ; NoError
nlenergyandclimatechange.nl. IN DNSKEY 256 3 8 AwEAAb2AbhJT...ppErUsfvCMGtv
; NoError
nlenergyandclimatechange.nl. IN DNSKEY 256 3 8 AwEAAaeQDrF0...u3IdA2xzSiqZF
; NoError
Unbound validates the DNSKEY RRset just fine, but these give DNSViz some
indigestion:
https://dnsviz.net/d/nlagriculture.nl/X3yhPg/dnssec/
https://dnsviz.net/d/nlenergyandclimatechange.nl/X3yhXg/dnssec/
the graphs fail to display. I wonder whether any other tools
(especially resolvers) have difficulties with these...
--
Viktor.
_______________________________________________
dns-operations mailing list
[email protected]
https://lists.dns-oarc.net/mailman/listinfo/dns-operations
