[dns-operations] Fwd: [pacnog] Verisign's Patent Application for the Transfer of DNSSEC Domains

Alexander Gurvitz alex at net-me.net
Wed Oct 10 02:12:09 UTC 2012

I have to apologise, my conclusions (
http://ubuntuone.com/4Bz1BqOsGMkTUQgViEL0rz) was probably somewhat
premature. (Well, I was excited to find a VE-RI-SI-G-N fault :).

I think issues do exist, but I can't really tell how severe they are.

After spending some time reading RFC4035, I see that for most good behaving
resolvers - at first they will find the RRSIG they can't validate and thus
they will either retry (and in our case the very first retry would do), or
they will return SERVFAIL, and maybe cache that SERVFAIL result for some
short time (but not for TTL long), and then query for a new RR and RRSIGs,
which will work.

Though Verisign approach should affect validating stub resolvers which use
CD bit - their forwarders possibly will not validate RRSIGs, and thus will
not expire RRSIGs which fail to validate. In this particular case my
conclusions still appear true to me.

Maybe someone can comment...

Alexander Gurvitz,

On 9 Oct 2012, at 17:29, Alexander Gurvitz <alex at net-me.net> wrote:

> I came up with a side-by-side comparison of the Verisign patent
> application vs. the IETF draft which Tony Finch mentioned.
> It seems that the patent is very close to the draft, with one little
> change, but as far as I see,
> consequence of that little change is that the process described in the
> patent breaks a DNSSEC validation. :)
> PDF with the comparison - http://ubuntuone.com/4Bz1BqOsGMkTUQgViEL0rz
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.dns-oarc.net/pipermail/dns-operations/attachments/20121010/435887b1/attachment.html>

More information about the dns-operations mailing list