IETF Logo Mail Archive

[DNSOP] Re: A question regarding DNSSEC validation

Cathy Zhang <scooct@163.com> Mon, 20 April 2026 01:53 UTC

Return-Path: <scooct@163.com>
X-Original-To: dnsop@mail2.ietf.org
Delivered-To: dnsop@mail2.ietf.org
Received: from localhost (localhost [127.0.0.1]) by mail2.ietf.org (Postfix) with ESMTP id CA4D3DF5ADE1 for <dnsop@mail2.ietf.org>; Sun, 19 Apr 2026 18:53:35 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=ietf.org; s=ietf1; t=1776650015; bh=0S4xjBLlbwzTTQQye9fVfVHN/OVliLJr8x5ZxbztQ5U=; h=Date:From:To:Cc:Subject:In-Reply-To:References; b=vyV2+9Smsm98KLLZZ7dcYUX7XCo3A3zkMLq6RLEnRUETzA1N6tYC1GcZ+7iGqFMub hyT+kuw5uPRvE+Yg5Bmg/kcX7wVhcGsGzjZxaRJSSkBbCCQSUVs/Yj6HwTfQZ/Njjs dPjhXKkX0VZlLG94WtNc+w2PUTBXwDi81WlAtW4Y=
X-Virus-Scanned: amavisd-new at ietf.org
X-Spam-Flag: NO
X-Spam-Score: -2.096
X-Spam-Level:
X-Spam-Status: No, score=-2.096 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, FREEMAIL_FROM=0.001, HTML_MESSAGE=0.001, RCVD_IN_VALIDITY_CERTIFIED_BLOCKED=0.001, RCVD_IN_VALIDITY_RPBL_BLOCKED=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Authentication-Results: mail2.ietf.org (amavisd-new); dkim=pass (1024-bit key) header.d=163.com
Received: from mail2.ietf.org ([166.84.6.31]) by localhost (mail2.ietf.org [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id VGFe-_FxbpFJ for <dnsop@mail2.ietf.org>; Sun, 19 Apr 2026 18:53:34 -0700 (PDT)
Received: from m16.mail.163.com (m16.mail.163.com [117.135.210.2]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature ECDSA (P-256) server-digest SHA256) (No client certificate requested) by mail2.ietf.org (Postfix) with ESMTPS id 74B6ADF5ADCA for <dnsop@ietf.org>; Sun, 19 Apr 2026 18:53:32 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=163.com; s=s110527; h=Date:From:To:Subject:Content-Type:MIME-Version: Message-ID; bh=0S4xjBLlbwzTTQQye9fVfVHN/OVliLJr8x5ZxbztQ5U=; b=S HlwgX0ELtb0PvUwX8bhGy6W4cSqTs6NXZxbKoI/rsBhegvpU/ZgVtzaRuEkaT+wa ggjlJAdcXlfQtgd3cLeMHdySdYVHMGgd9SKrL5Sg6YIkXV/IQWksp9L57R9FoQB8 kCXCuoSciGADJn61tv9RrCas3fRlH0BlFLjGr20gCw=
Received: from scooct$163.com ( [2001:dc7:dd00:6800::5b] ) by ajax-webmail-wmsvr-40-110 (Coremail) ; Mon, 20 Apr 2026 09:53:20 +0800 (CST)
X-Originating-IP: [2001:dc7:dd00:6800::5b]
Date: Mon, 20 Apr 2026 09:53:20 +0800
From: Cathy Zhang <scooct@163.com>
To: Edward Lewis <eppdnsprotocols@gmail.com>
X-Priority: 3
X-Mailer: Coremail Webmail Server Version 2023.4-cmXT build 20251222(83accb85) Copyright (c) 2002-2026 www.mailtech.cn 163com
In-Reply-To: <7CA832F4-085E-4C14-B497-C6D463D822F9@gmail.com>
References: <749d198c.101a.19d93e2675d.Coremail.scooct@163.com> <CAOdQrVMv+PhzCc1_=uAqb=qWeF53um5VwnkhPFsSgK40XSt=yw@mail.gmail.com> <907eeced-4878-4d55-b3cb-48ecd6b9a780@nic.cz> <7CA832F4-085E-4C14-B497-C6D463D822F9@gmail.com>
X-NTES-SC: AL_Qu2cBPqev0gr5iCZYukfmUcUhek2UcWxu/0u3YZfPp5+jCfp0y8pVnxFMWHm1N2kEQuUsCW6fgN1y+tffph9b4AtdSjtV5vumdvzz4Vv4yWCLQ==
Content-Type: multipart/alternative; boundary="----=_Part_25240_441583941.1776650000031"
MIME-Version: 1.0
Message-ID: <13d59275.1a50.19da89796a0.Coremail.scooct@163.com>
X-Coremail-Locale: zh_CN
X-CM-TRANSID: bigvCgDnMokQh+VpOcCRAA--.46146W
X-CM-SenderInfo: 5vfr0urw6rljoofrz/xtbC4xC5xWnlhxCwMgAA3W
X-Coremail-Antispam: 1U5529EdanIXcx71UUUUU7vcSsGvfC2KfnxnUU==
Message-ID-Hash: OVNMWYEXORAQEQ2LPWFZQFNTEBDZRISP
X-Message-ID-Hash: OVNMWYEXORAQEQ2LPWFZQFNTEBDZRISP
X-MailFrom: scooct@163.com
X-Mailman-Rule-Misses: dmarc-mitigation; no-senders; approved; emergency; loop; banned-address; member-moderation; header-match-dnsop.ietf.org-0; nonmember-moderation; administrivia; implicit-dest; max-recipients; max-size; news-moderation; no-subject; digests; suspicious-header
CC: dnsop@ietf.org
X-Mailman-Version: 3.3.9rc6
Precedence: list
Subject: [DNSOP] Re: A question regarding DNSSEC validation
List-Id: IETF DNSOP WG mailing list <dnsop.ietf.org>
Archived-At: <https://mailarchive.ietf.org/arch/msg/dnsop/GPJPircZIXipkGLPupE1eajGP24>
List-Archive: <https://mailarchive.ietf.org/arch/browse/dnsop>
List-Help: <mailto:dnsop-request@ietf.org?subject=help>
List-Owner: <mailto:dnsop-owner@ietf.org>
List-Post: <mailto:dnsop@ietf.org>
List-Subscribe: <mailto:dnsop-join@ietf.org>
List-Unsubscribe: <mailto:dnsop-leave@ietf.org>

Hi Edward,


Thank you very much for your detailed and insightful answer. This is precisely why I raised this question.


If the resolver does not continue waiting, even though a forged response would mostly be discarded due to validation failure, it could still effectively prevent the legitimate response from being accepted and processed. In other words, although cache poisoning is unsuccessful, the resolver would no longer handle valid responses from the correct authoritative servers.


It seems that querying all available authoritative servers can mitigate the impact of forged responses that arrive earlier, unless queries sent to every authoritative server are all preempted by forged replies.


Ignoring such invalid responses and continuing to wait for valid ones until timeout appears to be a better design. It seems that, except for replay attacks involving negative responses, missing or invalid signatures would not prevent the resolver from processing correct responses.


I would greatly appreciate your insight on whether DNS implementations such as BIND, Unbound, and PowerDNS actually adopt this kind of behavior.


BR,
Cathy











在 2026-04-20 09:19:57,"Edward Lewis" <eppdnsprotocols@gmail.com> 写道:

On Apr 17, 2026, at 13:15, Libor Peltan <libor.peltan=40nic.cz@dmarc.ietf.org> wrote:

First of all, I think this mailing-list is not an optimal channel to ask such quetsions.



I don’t see why not...


But I feel a need to slightly correct Ben: in most cases, if a resolver receives a DNSSEC response that fails to validate (so called BOGUS) for any reason (e.g. missing or invalid RRSIG), it tries to query another authoritative nameserver for that zone. Only after all are tried and all are BOGUS or unreachable (or erroneous in other ways), the resolver will conclude SERVFAIL to the client. Of course there are many exceptions when the described is not entirely true. But I guess no sane resolver would re-try querying the same authoritative nameserver after a while.

I’d treat a response that fails validation as a non-response (“it didn’t happen”).  After issuing a query, wait until a valid response is received or the timeout is reached.  If the timeout is reached, act like nothing ever arrived.


In the original DNSSEC problem statement, a concern was that a query would be issued and an adversary could forge and send a response quickly enough to beat the true response.  An adversary could anticipate the query or see the query (if on path) and get a head start, nevertheless, the query could (also) get to the intended source.  The intended source could still answer, it’d be a shame to have given up because of the forged response.


It’d be forgivable (in that the code is simpler) to kill the query upon receiving the bad response, but to be more resilient, wait until the timeout for a potential good (validated) response.


Ed Lewis

v2.41.0 | Report a Bug | By Email | System Status