--- Begin Message ---
On Tue, Jul 18, 2023 at 7:53 PM Gavin McCullagh <[email protected]> wrote:
> On Tue, Jul 18, 2023 at 12:45 PM Shumon Huque <[email protected]> wrote:
>> Yes, I agree. A resolver can't really tell that a response with an expired
>> signature wasn't an attacker trying to replay old data. For robustness
>> against attacks, it must re-query other available other servers if they
>> exist.
>>
>> Also, I was under the impression that most resolvers already had this robust
>> behavior. Since Unbound was mentioned, I just tested an unbound resolver
>> against a test DNS record that I have provisioned with an intentionally
>> expired DNSSEC signature - it sent queries to all 4 servers for the zone
>> before giving up and returning SERVFAIL.
>
>
> Interesting. As I understand it, in the event we're talking about, 4/13
> nameservers would have been stale - so it might be that it did retry but not
> enough to work around the problem. We definitely saw Unbound returning
> SERVFAIL for unsigned com domains though. I didn't get around to retesting
> the specific circumstances yet, but if Unbound already retries on this, then
> we can just work to understand the details better.
>
> Gavin
My past experience with Unbound (a few years ago) was that it very
aggressively tried every nameserver when it encountered problems,
DNSSEC or otherwise. If someone had asked me a month ago, I would have
joked that the only way it would have returned SERVFAIL is if your
Unbound clusters DDoSed Verisign offline. :-)
This is only a guess, but maybe it hit a limit like the new
max-sent-count setting?
For a while now, resolvers have been focusing on limiting queries for
things like the NXNSAttack, which works against your goal here.
With all due respect to Verisign and their highly-provisioned servers,
that is a real concern. It doesn't help anything when a zone is
completely bogus *and* the zone and its parents are getting 1000x
their normal query volume in retries.
Maybe you hit an edge case or Unbound's defaults should be tuned a
little differently?
--
Matt Nordhoff
--- End Message ---
_______________________________________________
dns-operations mailing list
[email protected]
https://lists.dns-oarc.net/mailman/listinfo/dns-operations
