On 03. 03. 21 7:35, Viktor Dukhovni wrote:
On Wed, Mar 03, 2021 at 06:04:45AM +0000, Paul Vixie wrote:
A laudable goal, but exposing RRSIG as a bare RRset one can query does
not look like a viable path forward. So I don't see this happening.
You described several cases in which rrsigs wouldn't be stable enough.
in my own role as signer, the rrsigs are refreshed by cron on sundays,
and so I think we're both looking at anecdotes here, worst or best case
scenarios, and what you don't see happening isn't totally compelling.
Another basic issue with RRSIG queries, already mention by Brian Dickson
is that there's no way to ask for the RRSIG of a specific RRSet, one can
(at present) only ask for all (or any subset) of the RRSSIGs associated
with a given name, and returning them all (at least over UDP) is often
not a good idea.
So, as noted by Tony Finch, the DNSSEC-oblivious iterative resolver may
(as already recommended) get back from its authoritative upstream only a
random representative record from the authoritative upstream (just as
with ANY queries), which is again often not the RRSIG you're looking
for.
For the records "respond with a randomly selected RRSIG" is implemented
in Knot DNS 3.0.0, released in September 2020 [1]. Apparently sky did
not fall.
[1] https://www.knot-dns.cz/2020-09-09-version-300.html
--
Petr Špaček @ ISC
_______________________________________________
dns-operations mailing list
[email protected]
https://lists.dns-oarc.net/mailman/listinfo/dns-operations
