--- Begin Message ---
On Tue, Jul 18, 2023 at 6:21 PM Gavin McCullagh <[email protected]> wrote:
> Hi,
>
> sorry to dredge this back up, but I just want to give anyone the chance to
> object.
>
> My read of what Viktor and others have indicated here is that, when a
> validating resolver receives a response with expired rrsigs, it's okay (and
> encouraged?) for that resolver to treat that as an invalid response and retry
> against other nameservers, similarly to how it would handle a REFUSED or
> SERVFAIL response from an authority (i.e. with similar care to limit retry
> storms).
>
> The purpose of this is so that a single stale pop or authoritative host would
> not cause an outage to dnssec signed domains, as resolvers will retry against
> others.
>
> I'd like to reach out to NLNet about changing Unbound to do this, so I want
> to make sure people have a chance to disagree. Feel free to voice your
> disagreement (and reasons) here if you do.
>
> Gavin
This is just a comment, but I've reported TLD secondary nameservers
with expired RRSIGs ~4 different times.¹ ² ³ I never would have
noticed most problems if I had been using a resolver that retried
other authoritative nameservers for DNSSEC issues. Who knows how long
it would have taken for the problems to have been discovered or fixed.
Of course it's good for resolution to succeed, but it also papers over
problems and causes them to linger forever.
(Just like happens with other DNS problems now, like a nameserver
timing out or returning SERVFAIL.)
¹ And also in-addr.arpa/ip6.arpa.
² And that time one of the root servers borked arpa zone apex queries.
³ Actually the xn--wgbh1c TLD is broken right now but I haven't told anyone.
--
Matt Nordhoff
--- End Message ---
_______________________________________________
dns-operations mailing list
[email protected]
https://lists.dns-oarc.net/mailman/listinfo/dns-operations
