[dns-operations] DNS .com/.net resolution problems in the Asia/Pacific region

Matt Nordhoff lists at mn0.us
Tue Jul 18 20:24:14 UTC 2023 

On Tue, Jul 18, 2023 at 7:53 PM Gavin McCullagh <gmccullagh at gmail.com> wrote:
> On Tue, Jul 18, 2023 at 12:45 PM Shumon Huque <shuque at gmail.com> wrote:
>> Yes, I agree. A resolver can't really tell that a response with an expired signature wasn't an attacker trying to replay old data. For robustness against attacks, it must re-query other available other servers if they exist.
>>
>> Also, I was under the impression that most resolvers already had this robust behavior. Since Unbound was mentioned, I just tested an unbound resolver against a test DNS record that I have provisioned with an intentionally expired DNSSEC signature - it sent queries to all 4 servers for the zone before giving up and returning SERVFAIL.
>
>
> Interesting.  As I understand it, in the event we're talking about, 4/13 nameservers would have been stale - so it might be that it did retry but not enough to work around the problem.  We definitely saw Unbound returning SERVFAIL for unsigned com domains though.  I didn't get around to retesting the specific circumstances yet, but if Unbound already retries on this, then we can just work to understand the details better.
>
> Gavin

My past experience with Unbound (a few years ago) was that it very
aggressively tried every nameserver when it encountered problems,
DNSSEC or otherwise. If someone had asked me a month ago, I would have
joked that the only way it would have returned SERVFAIL is if your
Unbound clusters DDoSed Verisign offline. :-)

This is only a guess, but maybe it hit a limit like the new
max-sent-count setting?

For a while now, resolvers have been focusing on limiting queries for
things like the NXNSAttack, which works against your goal here.

With all due respect to Verisign and their highly-provisioned servers,
that is a real concern. It doesn't help anything when a zone is
completely bogus *and* the zone and its parents are getting 1000x
their normal query volume in retries.

Maybe you hit an edge case or Unbound's defaults should be tuned a
little differently?
-- 
Matt Nordhoff

More information about the dns-operations mailing list