On 07/10/2021 08:52, Mark Andrews wrote:
DNSSEC will work reasonably well if the upstream are just DNSSEC aware (keep the
RRSIGs with the data they cover, pass through negative proofs required for
the answers) if there is not spoofed traffic, a mix of DNSSEC aware and DNSSEC
oblivious server for the zone, etc. A validating upstream will block this
badness and only pass through good responses. A non-validating upstream will
cache this garbage.
It will fail abysmally if the upstreams are not DNSSEC aware. Don’t even
attempt it.
With the getdns API library and stub resolver design, quite a bit of
effort has gone into "road block avoidance" i.e. checking if the
upstream resolver is DNSSEC aware and falling back to full recursion if
it isn't (to obtain the DNSSEC data for end-point validation).
For pictures, see the slide desk
https://getdnsapi.net/slides/an-earnest-stub.pdf, slide 17 and onwards.
-- Benno
--
Benno J. Overeinder
NLnet Labs
https://www.nlnetlabs.nl/
_______________________________________________
DNSOP mailing list
DNSOP@ietf.org
https://www.ietf.org/mailman/listinfo/dnsop
