[dns-operations] Odd behaviour on one node in I root-server (facebook, youtube & twitter)

bert hubert bert.hubert at netherlabs.nl
Wed Mar 31 10:18:07 UTC 2010


On Wed, Mar 31, 2010 at 11:44:01AM +0200, Marco Davids (SIDN) wrote:
> Until validating resolvers will retry at a completely other name server
> in such a case, in order to try to fix wat is broken, DNSSEC just allows
> you to discover that you have been fubared. Nothing more, nothing less.

This 'requerying' is especially tricky given the recent discoveries of
massive requerying after a key rollover.

In addition, if the final RRSET does not validate, the fault might lie at a
lot of places in the chain, down to the root servers.

This means that a resolver can't just requery one packet, it might have to
try shifting to sibbling nameservers at all levels of the validation chain.

Besides this being a problem with meddling nation states, this functionality
would also be necessary to deal with configuration errors. The concept of
'security lame' might become relevant - all current resolvers know how to
deal with a 'lame' server ("try the next one"). 

They may need the same kind of logic to deal with a server that emits
erroneous signatures, and "try the next one".

	Bert



More information about the dns-operations mailing list