paypal.com DNSKEY no valid signature found

[Bjørn Mork]

Anand Buddhdev <anandb at ripe.net> writes:

> The zone is correctly signed, but with RSASHA1, which is not
> recommended. You may be on a Linux distro whose openssl disables old 
> algorithms like RSASHA1, and so BIND will not be able to validate this zone.

Doesn't that violate a MUST in RFC 8624?

Mostly curious - I understand the challenges depending on system library
support...


Bjørn