[dns-operations] Incomplete type bitmaps in NSEC(3) records and aggressive use of DNSSEC validated cache
Vladimír Čunát
vladimir.cunat+ietf at nic.cz
Wed Sep 8 12:37:39 UTC 2021
Hello.
On 08/09/2021 11.12, Ruben van Staveren via dns-operations wrote:
> should we do more analysis of this phenomenon and even have a dns flag
> day before even more resolvers and operators are going to implement
> RFC8198? There might be an issue by deliberately exploiting this and
> make websites/mail unreachable.
Measuring how much this happens might be nice (or similar problems), but
I don't think it will be worth a flag day. Aggressive resolvers have
been deployed for years, and it apparently hasn't caused that much trouble.
As for possibility of exploitation... experience (e.g. with F5) shows
that some parties just won't fix stuff until there's significant
pressure. I'd think that now the "gradient" for this is that operators
should deploy aggressive caching instead of delaying, and that will help
cleaning up this behavior (which has been non-compliant since RFC 4034+,
not since 8198).
--Vladimir | knot-resolver.cz
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.dns-oarc.net/pipermail/dns-operations/attachments/20210908/c13f73ab/attachment.html>
More information about the dns-operations
mailing list