> How? I'm not being snarky, I don't see what the problem is. You > set some small limit on the number of validations you do, and then > give up. I hope we agree that resolvers already do that.
The difference between theory and practice. In theory, signature validation errors are rare, in practice they are not. The problem is that recursors just set random limits that seem to work most of the time. On the authoritative side, these limits are largely unknown, let alone the effect on validation of errors in multiple zones. Recently as a result of reports of potential DoS attacks, resolvers have reduced limits to the point where at cold start queries often exceed those limits. What I find sad is that we have vastly underspecified protocol. Resolvers have a random collection of mostly undocumented limits. It doesn't feel like engineering. It is just trying some random things and hope it doesn't collapse too soon when released in the real world. Discussions about limits fail. And it is not even clear why they fail. For example, who would be the affected parties of a BCP that has a statement that DNSSEC signers MUST NOT generate key tag collisions? _______________________________________________ DNSOP mailing list -- [email protected] To unsubscribe send an email to [email protected]
