[dns-operations] [Ext] Possibly-incorrect NSEC responses from many RSOs

Viktor Dukhovni ietf-dane at dukhovni.org
Wed Mar 3 06:35:39 UTC 2021

On Wed, Mar 03, 2021 at 06:04:45AM +0000, Paul Vixie wrote:

> > A laudable goal, but exposing RRSIG as a bare RRset one can query does
> > not look like a viable path forward.  So I don't see this happening.
> You described several cases in which rrsigs wouldn't be stable enough.
> in my own role as signer, the rrsigs are refreshed by cron on sundays,
> and so I think we're both looking at anecdotes here, worst or best case
> scenarios, and what you don't see happening isn't totally compelling.

Another basic issue with RRSIG queries, already mention by Brian Dickson
is that there's no way to ask for the RRSIG of a specific RRSet, one can
(at present) only ask for all (or any subset) of the RRSSIGs associated
with a given name, and returning them all (at least over UDP) is often
not a good idea.

So, as noted by Tony Finch, the DNSSEC-oblivious iterative resolver may
(as already recommended) get back from its authoritative upstream only a
random representative record from the authoritative upstream (just as
with ANY queries), which is again often not the RRSIG you're looking

> > More likely equipment that gets in the way will over time get replaced,
> > or users will tunnel traffic to a less broken resolver.
> There's a lot of ways this can go. I usually share the pessimism you're
> expressing. But that doesn't mean I won't care if we make it all worse.

I haven't yet seen any sound proposals for cobbling together DNSSEC
answers via a non-DNSSEC iterator.  Perhaps it is sometimes possible,
but I'd expect this to be quite brittle, and I'm generally not fond of
things that work only when the planets line up just right.


More information about the dns-operations mailing list