[dns-operations] Incomplete type bitmaps in NSEC(3) records and aggressive use of DNSSEC validated cache

Vladimír Čunát vladimir.cunat+ietf at nic.cz
Wed Sep 8 12:37:39 UTC 2021


On 08/09/2021 11.12, Ruben van Staveren via dns-operations wrote:
> should we do more analysis of this phenomenon and even have a dns flag 
> day before even more resolvers and operators are going to implement 
> RFC8198? There might be an issue by deliberately exploiting this and 
> make websites/mail unreachable.

Measuring how much this happens might be nice (or similar problems), but 
I don't think it will be worth a flag day. Aggressive resolvers have 
been deployed for years, and it apparently hasn't caused that much trouble.

As for possibility of exploitation... experience (e.g. with F5) shows 
that some parties just won't fix stuff until there's significant 
pressure.  I'd think that now the "gradient" for this is that operators 
should deploy aggressive caching instead of delaying, and that will help 
cleaning up this behavior (which has been non-compliant since RFC 4034+, 
not since 8198).

--Vladimir | knot-resolver.cz
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.dns-oarc.net/pipermail/dns-operations/attachments/20210908/c13f73ab/attachment.html>

More information about the dns-operations mailing list