[dns-operations] [Ext] Possibly-incorrect NSEC responses from many RSOs

Petr Špaček pspacek at isc.org
Wed Mar 3 08:24:47 UTC 2021


On 03. 03. 21 7:35, Viktor Dukhovni wrote:
> On Wed, Mar 03, 2021 at 06:04:45AM +0000, Paul Vixie wrote:
> 
>>> A laudable goal, but exposing RRSIG as a bare RRset one can query does
>>> not look like a viable path forward.  So I don't see this happening.
>> You described several cases in which rrsigs wouldn't be stable enough.
>> in my own role as signer, the rrsigs are refreshed by cron on sundays,
>> and so I think we're both looking at anecdotes here, worst or best case
>> scenarios, and what you don't see happening isn't totally compelling.
> Another basic issue with RRSIG queries, already mention by Brian Dickson
> is that there's no way to ask for the RRSIG of a specific RRSet, one can
> (at present) only ask for all (or any subset) of the RRSSIGs associated
> with a given name, and returning them all (at least over UDP) is often
> not a good idea.
> 
> So, as noted by Tony Finch, the DNSSEC-oblivious iterative resolver may
> (as already recommended) get back from its authoritative upstream only a
> random representative record from the authoritative upstream (just as
> with ANY queries), which is again often not the RRSIG you're looking
> for.

For the records "respond with a randomly selected RRSIG" is implemented 
in Knot DNS 3.0.0, released in September 2020 [1]. Apparently sky did 
not fall.

[1] https://www.knot-dns.cz/2020-09-09-version-300.html

-- 
Petr Špaček  @  ISC



More information about the dns-operations mailing list