[dns-operations] [Ext] Possibly-incorrect NSEC responses from many RSOs
paul at redbarn.org
Wed Mar 3 06:04:45 UTC 2021
On Tue, Mar 02, 2021 at 08:34:21PM -0500, Viktor Dukhovni wrote:
> On Wed, Mar 03, 2021 at 12:40:55AM +0000, Paul Vixie wrote:
> > I think you had me right the first time. I'm imagining a world with
> > dnssec aware apps and stubs (and therefore, DANE validators in TLS
> > clients), where some paths are closed for stupid reasons..., but the
> > rest are either dnssec-aware or dnssec-nondamaging. We should not make
> > the minimum viable product unbuildable unless we lack better choices.
> A laudable goal, but exposing RRSIG as a bare RRset one can query does
> not look like a viable path forward. So I don't see this happening.
you described several cases in which rrsigs wouldn't be stable enough.
in my own role as signer, the rrsigs are refreshed by cron on sundays,
and so i think we're both looking at anecdotes here, worst or best case
scenarios, and what you don't see happening isn't totally compelling.
> More likely equipment that gets in the way will over time get replaced,
> or users will tunnel traffic to a less broken resolver.
there's a lot of ways this can go. i usually share the pessimism you're
expressing. but that doesn't mean i won't care if we make it all worse.
More information about the dns-operations