SIG(0) "request has invalid signature: not verified yet (NOERROR)"
Malcolm Scott
Malcolm.Scott at cl.cam.ac.uk
Tue Nov 5 17:31:07 UTC 2024
On Tue, 5 Nov 2024, Robert Wagner wrote:
> Crypto question - You mention using RSASHA512, but the record shows
> ed25519 (elliptic curve) crypto. Any chance you can standardize on one or
> the other (RSA or ECC)? This may not be an issue, but it seems odd.
That's a fair question. Those choices were made about a decade apart, and
it didn't occur to me to make them consistent! And I did migrate the zone
signing to ed25519 at the same time I upgraded to 9.20 (as what I was doing
before -- can't recall exactly -- got deprecated).
But surely the zone signing doesn't come into play, as the nsupdate attempt
got rejected before it had a chance to modify the contents of the zone?
Regardless I'll try adjusting the algorithm choice in case it does make a
difference.
Malcolm
More information about the bind-users
mailing list