[dns-operations] DNS .com/.net resolution problems in the Asia/Pacific region

[Matt Nordhoff]

On Tue, Jul 18, 2023 at 6:21 PM Gavin McCullagh <gmccullagh at gmail.com> wrote:
> Hi,
>
> sorry to dredge this back up, but I just want to give anyone the chance to object.
>
> My read of what Viktor and others have indicated here is that, when a validating resolver receives a response with expired rrsigs, it's okay (and encouraged?) for that resolver to treat that as an invalid response and retry against other nameservers, similarly to how it would handle a REFUSED or SERVFAIL response from an authority (i.e. with similar care to limit retry storms).
>
> The purpose of this is so that a single stale pop or authoritative host would not cause an outage to dnssec signed domains, as resolvers will retry against others.
>
> I'd like to reach out to NLNet about changing Unbound to do this, so I want to make sure people have a chance to disagree.  Feel free to voice your disagreement (and reasons) here if you do.
>
> Gavin

This is just a comment, but I've reported TLD secondary nameservers
with expired RRSIGs ~4 different times.¹ ² ³ I never would have
noticed most problems if I had been using a resolver that retried
other authoritative nameservers for DNSSEC issues. Who knows how long
it would have taken for the problems to have been discovered or fixed.

Of course it's good for resolution to succeed, but it also papers over
problems and causes them to linger forever.

(Just like happens with other DNS problems now, like a nameserver
timing out or returning SERVFAIL.)

¹ And also in-addr.arpa/ip6.arpa.

² And that time one of the root servers borked arpa zone apex queries.

³ Actually the xn--wgbh1c TLD is broken right now but I haven't told anyone.
-- 
Matt Nordhoff