[dns-operations] DNSSEC validation - salliemae.com
Alexander Dupuy
alexdupuy at google.com
Wed Aug 7 19:44:01 UTC 2019
Viktor Dukhovni wrote:
> Not completely, the DNSKEY RRset appears to validate fine, but the SOA
> signature is broken (perhaps serial bumped after signing?), and so
> all denial of existence fails
I'm curious whether a resolver that fails validation of a negative response
only because of a bad RRSIG SOA record would be allowed by the RFCs to
return an uncached negative response without an SOA (or just return an
NXDOMAIN/NODATA response without caching, if it is a stub resolver).
I'm not at all convinced that this would be a good idea (it is generally
better to get people to fix their broken authorities than to paper over
their mistakes at the resolvers) but perhaps doing so is not (yet)
forbidden?
--
@alex
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.dns-oarc.net/pipermail/dns-operations/attachments/20190807/290dafab/attachment.html>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 4849 bytes
Desc: S/MIME Cryptographic Signature
URL: <https://lists.dns-oarc.net/pipermail/dns-operations/attachments/20190807/290dafab/attachment.bin>
More information about the dns-operations
mailing list