[dns-operations] DNS .com/.net resolution problems in the Asia/Pacific region

[Mark Andrews]

> On 19 Jul 2023, at 05:51, Gavin McCullagh <gmccullagh at gmail.com> wrote:
> 
> 
> 
> On Tue, Jul 18, 2023 at 12:45 PM Shumon Huque <shuque at gmail.com> wrote:
> Yes, I agree. A resolver can't really tell that a response with an expired signature wasn't an attacker trying to replay old data. For robustness against attacks, it must re-query other available other servers if they exist.
> 
> Also, I was under the impression that most resolvers already had this robust behavior. Since Unbound was mentioned, I just tested an unbound resolver against a test DNS record that I have provisioned with an intentionally expired DNSSEC signature - it sent queries to all 4 servers for the zone before giving up and returning SERVFAIL.
> 
> Interesting.  As I understand it, in the event we're talking about, 4/13 nameservers would have been stale - so it might be that it did retry but not enough to work around the problem.  We definitely saw Unbound returning SERVFAIL for unsigned com domains though.  I didn't get around to retesting the specific circumstances yet, but if Unbound already retries on this, then we can just work to understand the details better.
> 
> Gavin 

If you have stale DS’s then you will get validation failures if the child zone had already remove the DNSKEYs those DS refer to. 

>   _______________________________________________
> dns-operations mailing list
> dns-operations at lists.dns-oarc.net
> https://lists.dns-oarc.net/mailman/listinfo/dns-operations

-- 
Mark Andrews, ISC
1 Seymour St., Dundas Valley, NSW 2117, Australia
PHONE: +61 2 9871 4742              INTERNET: marka at isc.org