[dns-operations] DNSSEC validation - salliemae.com

Alexander Dupuy alexdupuy at google.com
Wed Aug 7 19:44:01 UTC 2019

Viktor Dukhovni wrote:

> Not completely, the DNSKEY RRset appears to validate fine, but the SOA
> signature is broken (perhaps serial bumped after signing?), and so
> all denial of existence fails

I'm curious whether a resolver that fails validation of a negative response
only because of a bad RRSIG SOA record would be allowed by the RFCs to
return an uncached negative response without an SOA (or just return an
NXDOMAIN/NODATA response without caching, if it is a stub resolver).

I'm not at all convinced that this would be a good idea (it is generally
better to get people to fix their broken authorities than to paper over
their mistakes at the resolvers) but perhaps doing so is not (yet)

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.dns-oarc.net/pipermail/dns-operations/attachments/20190807/290dafab/attachment.html>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 4849 bytes
Desc: S/MIME Cryptographic Signature
URL: <https://lists.dns-oarc.net/pipermail/dns-operations/attachments/20190807/290dafab/attachment.bin>

More information about the dns-operations mailing list