[dns-operations] [Ext] Possibly-incorrect NSEC responses from many RSOs

Viktor Dukhovni ietf-dane at dukhovni.org
Tue Mar 2 23:44:16 UTC 2021

> On Mar 2, 2021, at 9:31 PM, Paul Vixie <paul at redbarn.org> wrote:
> On Tue, Mar 02, 2021 at 04:57:30PM -0200, Viktor Dukhovni wrote:
>> My suggestion is:
>> ...
>>  * Finally, only since it was mentioned in the relevant text of 403[45],
>>    respond naturally to DNSKEY, that's a perfectly ordinary RRSet.
> i don't think we should give up on dnssec-aware apps, or on validating stubs.
> there was discussion of making the dnssec types meta-only (authority or
> additional) back in the day. that road was deliberately unchosen.

I don't understand what you're saying.  My quoted text attempts to say
that while RRSIG and NSEC3 queries are "unnatural"p and could be REFUSED
or replied in some suitably synthetic manner, DNSKEY is no different from
A, AAAA, MX, ... and needs no special treatment.

I don't quite understand how "giving up" or not "giving up" on "dnssec-aware"
apps fits into the picture.  If, as Brian Dickson upthread, you're trying to
find a way for applications to work around non-cooperative iterative resolvers,
and somehow assemble all the DNSSEC metadata piecemeal over multiple requests,
that's very unlikely to work.

If on the other hand, you're arguing that given a validated response, an
application should also be able to assemble the full validation chain by
separately asking for the requisite signed DS and DNSKEY RRsets, then that's
quite reasonable, and my comment on DNSKEY supports that use-case...


More information about the dns-operations mailing list