On Tue, Jul 18, 2023 at 12:45 PM Shumon Huque <[email protected]> wrote:
> Yes, I agree. A resolver can't really tell that a response with an expired > signature wasn't an attacker trying to replay old data. For robustness > against attacks, it must re-query other available other servers if they > exist. > > Also, I was under the impression that most resolvers already had this > robust behavior. Since Unbound was mentioned, I just tested an unbound > resolver against a test DNS record that I have provisioned with an > intentionally expired DNSSEC signature - it sent queries to all 4 servers > for the zone before giving up and returning SERVFAIL. > Interesting. As I understand it, in the event we're talking about, 4/13 nameservers would have been stale - so it might be that it did retry but not enough to work around the problem. We definitely saw Unbound returning SERVFAIL for unsigned com domains though. I didn't get around to retesting the specific circumstances yet, but if Unbound already retries on this, then we can just work to understand the details better. Gavin
_______________________________________________ dns-operations mailing list [email protected] https://lists.dns-oarc.net/mailman/listinfo/dns-operations
