[dns-operations] DNS .com/.net resolution problems in the Asia/Pacific region
lists at mn0.us
Tue Jul 18 20:24:14 UTC 2023
On Tue, Jul 18, 2023 at 7:53 PM Gavin McCullagh <gmccullagh at gmail.com> wrote:
> On Tue, Jul 18, 2023 at 12:45 PM Shumon Huque <shuque at gmail.com> wrote:
>> Yes, I agree. A resolver can't really tell that a response with an expired signature wasn't an attacker trying to replay old data. For robustness against attacks, it must re-query other available other servers if they exist.
>> Also, I was under the impression that most resolvers already had this robust behavior. Since Unbound was mentioned, I just tested an unbound resolver against a test DNS record that I have provisioned with an intentionally expired DNSSEC signature - it sent queries to all 4 servers for the zone before giving up and returning SERVFAIL.
> Interesting. As I understand it, in the event we're talking about, 4/13 nameservers would have been stale - so it might be that it did retry but not enough to work around the problem. We definitely saw Unbound returning SERVFAIL for unsigned com domains though. I didn't get around to retesting the specific circumstances yet, but if Unbound already retries on this, then we can just work to understand the details better.
My past experience with Unbound (a few years ago) was that it very
aggressively tried every nameserver when it encountered problems,
DNSSEC or otherwise. If someone had asked me a month ago, I would have
joked that the only way it would have returned SERVFAIL is if your
Unbound clusters DDoSed Verisign offline. :-)
This is only a guess, but maybe it hit a limit like the new
For a while now, resolvers have been focusing on limiting queries for
things like the NXNSAttack, which works against your goal here.
With all due respect to Verisign and their highly-provisioned servers,
that is a real concern. It doesn't help anything when a zone is
completely bogus *and* the zone and its parents are getting 1000x
their normal query volume in retries.
Maybe you hit an edge case or Unbound's defaults should be tuned a
More information about the dns-operations