[dns-operations] DNSSEC validation - salliemae.com

Viktor Dukhovni ietf-dane at dukhovni.org
Wed Aug 7 20:43:52 UTC 2019

On Wed, Aug 07, 2019 at 03:44:01PM -0400, Alexander Dupuy wrote:

> > Not completely, the DNSKEY RRset appears to validate fine, but the SOA
> > signature is broken (perhaps serial bumped after signing?), and so
> > all denial of existence fails
> I'm curious whether a resolver that fails validation of a negative response
> only because of a bad RRSIG SOA record would be allowed by the RFCs to
> return an uncached negative response without an SOA (or just return an
> NXDOMAIN/NODATA response without caching, if it is a stub resolver).

Indeed the SOA is used primarily for the negative TTL, and so given
properly signed NSEC/NSEC3 records, perhaps it could be OK to accept,
but not cache the denial of existence, but at least unbound does
not do that, rather queries for non-existent names SERVFAIL.

[ The above is not a speculative, and not a carefully considered view
  on what may or may not be RFC-compliant. ]


More information about the dns-operations mailing list