[dns-operations] DNS .com/.net resolution problems in the Asia/Pacific region
Gavin McCullagh
gmccullagh at gmail.com
Tue Jul 18 19:51:39 UTC 2023
On Tue, Jul 18, 2023 at 12:45 PM Shumon Huque <shuque at gmail.com> wrote:
> Yes, I agree. A resolver can't really tell that a response with an expired
> signature wasn't an attacker trying to replay old data. For robustness
> against attacks, it must re-query other available other servers if they
> exist.
>
> Also, I was under the impression that most resolvers already had this
> robust behavior. Since Unbound was mentioned, I just tested an unbound
> resolver against a test DNS record that I have provisioned with an
> intentionally expired DNSSEC signature - it sent queries to all 4 servers
> for the zone before giving up and returning SERVFAIL.
>
Interesting. As I understand it, in the event we're talking about, 4/13
nameservers would have been stale - so it might be that it did retry but
not enough to work around the problem. We definitely saw Unbound returning
SERVFAIL for unsigned com domains though. I didn't get around to retesting
the specific circumstances yet, but if Unbound already retries on this,
then we can just work to understand the details better.
Gavin
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.dns-oarc.net/pipermail/dns-operations/attachments/20230718/9392be2c/attachment.html>
More information about the dns-operations
mailing list