I have to apologise, my conclusions ( http://ubuntuone.com/4Bz1BqOsGMkTUQgViEL0rz) was probably somewhat premature. (Well, I was excited to find a VE-RI-SI-G-N fault :).
I think issues do exist, but I can't really tell how severe they are. After spending some time reading RFC4035, I see that for most good behaving resolvers - at first they will find the RRSIG they can't validate and thus they will either retry (and in our case the very first retry would do), or they will return SERVFAIL, and maybe cache that SERVFAIL result for some short time (but not for TTL long), and then query for a new RR and RRSIGs, which will work. Though Verisign approach should affect validating stub resolvers which use CD bit - their forwarders possibly will not validate RRSIGs, and thus will not expire RRSIGs which fail to validate. In this particular case my conclusions still appear true to me. Maybe someone can comment... Alexander Gurvitz, net-me.net On 9 Oct 2012, at 17:29, Alexander Gurvitz <[email protected]> wrote: > > I came up with a side-by-side comparison of the Verisign patent > application vs. the IETF draft which Tony Finch mentioned. > It seems that the patent is very close to the draft, with one little > change, but as far as I see, > consequence of that little change is that the process described in the > patent breaks a DNSSEC validation. :) > > PDF with the comparison - http://ubuntuone.com/4Bz1BqOsGMkTUQgViEL0rz > > >
_______________________________________________ dns-operations mailing list [email protected] https://lists.dns-oarc.net/mailman/listinfo/dns-operations dns-jobs mailing list https://lists.dns-oarc.net/mailman/listinfo/dns-jobs
