[dns-operations] DNS .com/.net resolution problems in the Asia/Pacific region
Mark Andrews
marka at isc.org
Tue Jul 18 22:47:11 UTC 2023
> On 19 Jul 2023, at 05:51, Gavin McCullagh <gmccullagh at gmail.com> wrote:
>
>
>
> On Tue, Jul 18, 2023 at 12:45 PM Shumon Huque <shuque at gmail.com> wrote:
> Yes, I agree. A resolver can't really tell that a response with an expired signature wasn't an attacker trying to replay old data. For robustness against attacks, it must re-query other available other servers if they exist.
>
> Also, I was under the impression that most resolvers already had this robust behavior. Since Unbound was mentioned, I just tested an unbound resolver against a test DNS record that I have provisioned with an intentionally expired DNSSEC signature - it sent queries to all 4 servers for the zone before giving up and returning SERVFAIL.
>
> Interesting. As I understand it, in the event we're talking about, 4/13 nameservers would have been stale - so it might be that it did retry but not enough to work around the problem. We definitely saw Unbound returning SERVFAIL for unsigned com domains though. I didn't get around to retesting the specific circumstances yet, but if Unbound already retries on this, then we can just work to understand the details better.
>
> Gavin
If you have stale DS’s then you will get validation failures if the child zone had already remove the DNSKEYs those DS refer to.
> _______________________________________________
> dns-operations mailing list
> dns-operations at lists.dns-oarc.net
> https://lists.dns-oarc.net/mailman/listinfo/dns-operations
--
Mark Andrews, ISC
1 Seymour St., Dundas Valley, NSW 2117, Australia
PHONE: +61 2 9871 4742 INTERNET: marka at isc.org
More information about the dns-operations
mailing list