[dns-operations] DNSSEC validation - salliemae.com
Viktor Dukhovni
ietf-dane at dukhovni.org
Wed Aug 7 20:43:52 UTC 2019
On Wed, Aug 07, 2019 at 03:44:01PM -0400, Alexander Dupuy wrote:
> > Not completely, the DNSKEY RRset appears to validate fine, but the SOA
> > signature is broken (perhaps serial bumped after signing?), and so
> > all denial of existence fails
>
> I'm curious whether a resolver that fails validation of a negative response
> only because of a bad RRSIG SOA record would be allowed by the RFCs to
> return an uncached negative response without an SOA (or just return an
> NXDOMAIN/NODATA response without caching, if it is a stub resolver).
Indeed the SOA is used primarily for the negative TTL, and so given
properly signed NSEC/NSEC3 records, perhaps it could be OK to accept,
but not cache the denial of existence, but at least unbound does
not do that, rather queries for non-existent names SERVFAIL.
[ The above is not a speculative, and not a carefully considered view
on what may or may not be RFC-compliant. ]
--
Viktor.
More information about the dns-operations
mailing list