[dns-operations] [Ext] Possibly-incorrect NSEC responses from many RSOs
Petr Špaček
pspacek at isc.org
Wed Mar 3 08:24:47 UTC 2021
On 03. 03. 21 7:35, Viktor Dukhovni wrote:
> On Wed, Mar 03, 2021 at 06:04:45AM +0000, Paul Vixie wrote:
>
>>> A laudable goal, but exposing RRSIG as a bare RRset one can query does
>>> not look like a viable path forward. So I don't see this happening.
>> You described several cases in which rrsigs wouldn't be stable enough.
>> in my own role as signer, the rrsigs are refreshed by cron on sundays,
>> and so I think we're both looking at anecdotes here, worst or best case
>> scenarios, and what you don't see happening isn't totally compelling.
> Another basic issue with RRSIG queries, already mention by Brian Dickson
> is that there's no way to ask for the RRSIG of a specific RRSet, one can
> (at present) only ask for all (or any subset) of the RRSSIGs associated
> with a given name, and returning them all (at least over UDP) is often
> not a good idea.
>
> So, as noted by Tony Finch, the DNSSEC-oblivious iterative resolver may
> (as already recommended) get back from its authoritative upstream only a
> random representative record from the authoritative upstream (just as
> with ANY queries), which is again often not the RRSIG you're looking
> for.
For the records "respond with a randomly selected RRSIG" is implemented
in Knot DNS 3.0.0, released in September 2020 [1]. Apparently sky did
not fall.
[1] https://www.knot-dns.cz/2020-09-09-version-300.html
--
Petr Špaček @ ISC
More information about the dns-operations
mailing list