[dns-operations] DNS .com/.net resolution problems in the Asia/Pacific region
gmccullagh at gmail.com
Tue Jul 18 19:51:39 UTC 2023
On Tue, Jul 18, 2023 at 12:45 PM Shumon Huque <shuque at gmail.com> wrote:
> Yes, I agree. A resolver can't really tell that a response with an expired
> signature wasn't an attacker trying to replay old data. For robustness
> against attacks, it must re-query other available other servers if they
> Also, I was under the impression that most resolvers already had this
> robust behavior. Since Unbound was mentioned, I just tested an unbound
> resolver against a test DNS record that I have provisioned with an
> intentionally expired DNSSEC signature - it sent queries to all 4 servers
> for the zone before giving up and returning SERVFAIL.
Interesting. As I understand it, in the event we're talking about, 4/13
nameservers would have been stale - so it might be that it did retry but
not enough to work around the problem. We definitely saw Unbound returning
SERVFAIL for unsigned com domains though. I didn't get around to retesting
the specific circumstances yet, but if Unbound already retries on this,
then we can just work to understand the details better.
-------------- next part --------------
An HTML attachment was scrubbed...
More information about the dns-operations