[dns-operations] [Ext] Possibly-incorrect NSEC responses from many RSOs
pspacek at isc.org
Wed Mar 3 08:24:47 UTC 2021
On 03. 03. 21 7:35, Viktor Dukhovni wrote:
> On Wed, Mar 03, 2021 at 06:04:45AM +0000, Paul Vixie wrote:
>>> A laudable goal, but exposing RRSIG as a bare RRset one can query does
>>> not look like a viable path forward. So I don't see this happening.
>> You described several cases in which rrsigs wouldn't be stable enough.
>> in my own role as signer, the rrsigs are refreshed by cron on sundays,
>> and so I think we're both looking at anecdotes here, worst or best case
>> scenarios, and what you don't see happening isn't totally compelling.
> Another basic issue with RRSIG queries, already mention by Brian Dickson
> is that there's no way to ask for the RRSIG of a specific RRSet, one can
> (at present) only ask for all (or any subset) of the RRSSIGs associated
> with a given name, and returning them all (at least over UDP) is often
> not a good idea.
> So, as noted by Tony Finch, the DNSSEC-oblivious iterative resolver may
> (as already recommended) get back from its authoritative upstream only a
> random representative record from the authoritative upstream (just as
> with ANY queries), which is again often not the RRSIG you're looking
For the records "respond with a randomly selected RRSIG" is implemented
in Knot DNS 3.0.0, released in September 2020 . Apparently sky did
Petr Špaček @ ISC
More information about the dns-operations