[dns-operations] DNS .com/.net resolution problems in the Asia/Pacific region

Gavin McCullagh gmccullagh at gmail.com
Tue Jul 18 19:51:39 UTC 2023


On Tue, Jul 18, 2023 at 12:45 PM Shumon Huque <shuque at gmail.com> wrote:

> Yes, I agree. A resolver can't really tell that a response with an expired
> signature wasn't an attacker trying to replay old data. For robustness
> against attacks, it must re-query other available other servers if they
> exist.
>
> Also, I was under the impression that most resolvers already had this
> robust behavior. Since Unbound was mentioned, I just tested an unbound
> resolver against a test DNS record that I have provisioned with an
> intentionally expired DNSSEC signature - it sent queries to all 4 servers
> for the zone before giving up and returning SERVFAIL.
>

Interesting.  As I understand it, in the event we're talking about, 4/13
nameservers would have been stale - so it might be that it did retry but
not enough to work around the problem.  We definitely saw Unbound returning
SERVFAIL for unsigned com domains though.  I didn't get around to retesting
the specific circumstances yet, but if Unbound already retries on this,
then we can just work to understand the details better.

Gavin
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.dns-oarc.net/pipermail/dns-operations/attachments/20230718/9392be2c/attachment.html>


More information about the dns-operations mailing list