[dns-operations] Google DNS ignores DNSSEC validation failure

Viktor Dukhovni ietf-dane at dukhovni.org
Sun Oct 2 03:28:11 UTC 2016

On Sun, Oct 02, 2016 at 02:59:23AM +0000, Edward Lewis wrote:

> However, if it were the case that, minutes ago, insecuretest.switch.ch
> was legitimately delegated as insecure and the NS and SOA learned, then
> the delegation (in the parent was deleted) before the DS query came, the
> resolver arguably could still rely on the NS and SOA records.

Taking the "arguably" side of the branch, we get opportunities for
an MiTM to mint arbitrary insecure names in signed zones, provided
the name does not exist in the parent.  Since this is a bad outcome,
that choice should not be available.

In other words, when adding as yet unvalidated data to the cache
(that is not yet known to be secure or insecure) if the parent
domain is signed and the DS record returns NXDOMAIN, if the
specification does not currently require that the unvalidated
records MUST be deemed bogus, then a document to that effect needs
to be produced.

This would still allow for returning cached records that were
legitimately determined to be insecurely delegated in the past,
but would not allow forgery of new data by an MiTM.


More information about the dns-operations mailing list