> On 19 Jul 2023, at 05:51, Gavin McCullagh <[email protected]> wrote: > > > > On Tue, Jul 18, 2023 at 12:45 PM Shumon Huque <[email protected]> wrote: > Yes, I agree. A resolver can't really tell that a response with an expired > signature wasn't an attacker trying to replay old data. For robustness > against attacks, it must re-query other available other servers if they exist. > > Also, I was under the impression that most resolvers already had this robust > behavior. Since Unbound was mentioned, I just tested an unbound resolver > against a test DNS record that I have provisioned with an intentionally > expired DNSSEC signature - it sent queries to all 4 servers for the zone > before giving up and returning SERVFAIL. > > Interesting. As I understand it, in the event we're talking about, 4/13 > nameservers would have been stale - so it might be that it did retry but not > enough to work around the problem. We definitely saw Unbound returning > SERVFAIL for unsigned com domains though. I didn't get around to retesting > the specific circumstances yet, but if Unbound already retries on this, then > we can just work to understand the details better. > > Gavin
If you have stale DS’s then you will get validation failures if the child zone had already remove the DNSKEYs those DS refer to. > _______________________________________________ > dns-operations mailing list > [email protected] > https://lists.dns-oarc.net/mailman/listinfo/dns-operations -- Mark Andrews, ISC 1 Seymour St., Dundas Valley, NSW 2117, Australia PHONE: +61 2 9871 4742 INTERNET: [email protected] _______________________________________________ dns-operations mailing list [email protected] https://lists.dns-oarc.net/mailman/listinfo/dns-operations
