Skip to content
Snippets Groups Projects
Commit ba2cb05a authored by Jan Včelák's avatar Jan Včelák :rocket:
Browse files

DNSSEC: use only compatible algorithms with NSEC/NSEC3 

Key algorithm and used NSEC type must match:

RFC 5155 states, that for compatibility with old resolvers, NSEC3
must be used only with NSEC3 algorithms.

It makes no sense to sign NSEC with NSEC3 keys, because it will make
the validation impossible on NSEC3-unaware resolvers. This is stricter
than what dnssec-signzone from ISC does.

refs #4
parent 4a336efc
No related branches found
No related tags found
No related merge requests found
Hide whitespace changes
Inline Side-by-side
0% or .
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment