IETF Logo Mail Archive

[DNSOP] Re: A question regarding DNSSEC validation

Shumon Huque <shuque@gmail.com> Mon, 20 April 2026 21:01 UTC

Return-Path: <shuque@gmail.com>
X-Original-To: dnsop@mail2.ietf.org
Delivered-To: dnsop@mail2.ietf.org
Received: from localhost (localhost [127.0.0.1]) by mail2.ietf.org (Postfix) with ESMTP id AEE2ADFC75D8 for <dnsop@mail2.ietf.org>; Mon, 20 Apr 2026 14:01:52 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=ietf.org; s=ietf1; t=1776718912; bh=NaJlIqiNubjh3xI17BN2/pykvJiPoLuxsqgjOyWuLck=; h=References:In-Reply-To:From:Date:Subject:To:Cc; b=NDBOQWYXDmPVQIXGGOLwsZ/Ssst6FfOukPpZrpbQ8WWgLksGfRXnJp49RCYHS8cgM rIUI526tjeQ5//SjeZbS7YB9i/B0wiPMaGKu2zQ2DPS/pwIMMdhWNczrrno0Pw3hB2 c91lonbWvqzZxI88KXSvjwCZZnF/LANUaL4aGicg=
X-Virus-Scanned: amavisd-new at ietf.org
X-Spam-Flag: NO
X-Spam-Score: -2.098
X-Spam-Level:
X-Spam-Status: No, score=-2.098 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, FREEMAIL_FROM=0.001, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_NONE=-0.0001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Authentication-Results: mail2.ietf.org (amavisd-new); dkim=pass (2048-bit key) header.d=gmail.com
Received: from mail2.ietf.org ([166.84.6.31]) by localhost (mail2.ietf.org [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id MDz2OOjZsrC0 for <dnsop@mail2.ietf.org>; Mon, 20 Apr 2026 14:01:52 -0700 (PDT)
Received: from mail-ot1-x32f.google.com (mail-ot1-x32f.google.com [IPv6:2607:f8b0:4864:20::32f]) (using TLSv1.3 with cipher TLS_AES_128_GCM_SHA256 (128/128 bits) key-exchange X25519 server-signature ECDSA (P-256) server-digest SHA256) (No client certificate requested) by mail2.ietf.org (Postfix) with ESMTPS id 435FBDFC74AC for <dnsop@ietf.org>; Mon, 20 Apr 2026 14:01:47 -0700 (PDT)
Received: by mail-ot1-x32f.google.com with SMTP id 46e09a7af769-7dbb6c072f1so3119240a34.2 for <dnsop@ietf.org>; Mon, 20 Apr 2026 14:01:47 -0700 (PDT)
ARC-Seal: i=1; a=rsa-sha256; t=1776718900; cv=none; d=google.com; s=arc-20240605; b=I05qIWTfMXlY5jD6oMnIDBXvufUnRzu3P/98KIWdahXBjgjh77umJj3c1tMtKw6ywW pkIKM60ZBMw5NLEIN0Vd3ftoWtC12dapk++Fv8UXXPyAsx+dhtePBlF6N5TkJrfUfqFA KHiZbxNOi1jd02LG55DQZ6mrykq8kLiX6r0YnCTqFCcY8sAZPYRCMVueL2GssQtHzQ8T 1zRM2jD5kTcAIOVsEIftMXJAXNEtaJjq3rDuHzcrf50iMHGjlgiOXUveqImVtJuE/xKS Ko341lmsJ9A70VZdMWvZH1myvV4ZI/rDI0o1V4XLvEgWiMulTJnXoH5F8LZjMNpxJGxE fuhw==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20240605; h=cc:to:subject:message-id:date:from:in-reply-to:references :mime-version:dkim-signature; bh=MTVpwwq5zpPlkFFuYt8QdhS+dmQyastbabe84Tqrtf8=; fh=kxkwhjT+Ech5BHG+qEuo9HM8jK8t40R4CB9BblJ3AJw=; b=lNWcuqp9+Behtms0db64D4xQFIMHJMt6ZtjqM7YMKgMMF+o7DEdd9p/HFsXF57LEwb 6wsdpYN9zsGNVmoP4PNgxRih4zXBv/bpM3p4EaSggtCftDWmxT2agzN4eBDmp36lQsDB O6/0rPKmFx4G/N+WxZh5S9QBMRPk1gAp2ze2OXPyCdn5JETgRM+0ZC9wGUa2+hCypd5h ZXwxFyysdT3HeKRreTDtnwxgkyAj5Lt1NWdjg4z09zUUnFuYltMbhenNmLwcTkUNCiwK Pot7L8au3ZyciJdeQ5fpO5htWN8ezhkiWKX99PBkUzpJ6WJ0XGnQzXx87JXvDfiFVKPB 7+dg==; darn=ietf.org
ARC-Authentication-Results: i=1; mx.google.com; arc=none
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20251104; t=1776718900; x=1777323700; darn=ietf.org; h=cc:to:subject:message-id:date:from:in-reply-to:references :mime-version:from:to:cc:subject:date:message-id:reply-to; bh=MTVpwwq5zpPlkFFuYt8QdhS+dmQyastbabe84Tqrtf8=; b=dqMJESI/zuz1S8R1Yk5KqDDCKFpmEyo+dO1jF5r/iQHcSvW+X6EYCFlxw/5Macs4Zd BogD/8cqyFo9oPEnnlE50kcSReWOUVeuBJFhklOPNq1xEVT/xZkJXNtsHOsnQFfOyVGu T/bo9DcN6iY/scNCj8U/X8UYp/BJgdJwQet4Z3+wxfFLbICCiw2TAO23KPiG3N60ZeaP MF5xRfWtTT1/NXpiaxHZmrZeO7ksZ+0J39lreEBDFJDSz5jnb5o+/oU4pTGn3vTVKRDM 3XWuZ+jcCEJ9XbKrMhhF1Micf1bq9uWdWf2h3hij9wnTMsx+QMuV5ndsMV+hrnYPe/C1 FmBA==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20251104; t=1776718900; x=1777323700; h=cc:to:subject:message-id:date:from:in-reply-to:references :mime-version:x-gm-gg:x-gm-message-state:from:to:cc:subject:date :message-id:reply-to; bh=MTVpwwq5zpPlkFFuYt8QdhS+dmQyastbabe84Tqrtf8=; b=noXixQ2RrxySE39OT8+1x0Pw75mCtxl3nAE8nT278YA1D9Y5GdMtxttV4LQpDCh3wo vVnI30gaVbk7eraxF7/4ZWZN4ikyOqwGXaaEik9ipGfjr6/69cTPT1jNgUtBkL6VBbQA 4uC5r5YDevzsz84QnOpgFs2yDqgOcc9nrohUzy2tIyDbwi8WGbG19ggpK0FaR+GOtx7K 5B7wXv5QxIn0Ano9szJOTaRepeNfY1qOEsd5OcVkYyrgp7S1dCl+e2CQ1CDLXxDROuMT CGNFrlzM1pFe5FTQrjB8Be8qPuC6bty5XBS5WcWv6xgO98/JQF4A+dU68S98gT69WdYf SULw==
X-Gm-Message-State: AOJu0YwgVkAWJtfuz2zhpr7hbF+0z+s1svYB+5X0ZTjdhIOji/sfjugS PVD4kq4TlfKGRWDZrKAdX957FLFAHp4ODgs/7ill+ufbwzr68Rnn5mtieTlmBBT/+kNjsQ4HFTe hBxZFxUxJpkbCAWiomMTHgIantA6DaOg=
X-Gm-Gg: AeBDievnGeT0xXzadLCqho9IvQH2HVSVMXJzEoG2VfUNwh0ksO/F9pfyJLpZHFYDElU ahr/6+O4bPRPuXXge9quSBPT1go4bZKYhwCaUFN7rPGSpNECkakg5QQzaK21g780SKOMryn9t2h nX+dOJLPujveAIhQKzq5Cm7L2KJT3Qgn0yNeT2EK8/RK+44NjvCL4G7sf/nGzLJ96bOrOVm9Rmf KZ9DxFttpE/kcpmZTJaxcKz4w8yIBCpeIvEDR2UBnNxUPCnW+7xPmCe0b4gbwNpePlFfTBedTqI qt+8SsJadLD8dFgebw==
X-Received: by 2002:a05:6830:280a:b0:7dc:3db6:f02 with SMTP id 46e09a7af769-7dc951175bdmr9588683a34.9.1776718900317; Mon, 20 Apr 2026 14:01:40 -0700 (PDT)
MIME-Version: 1.0
References: <749d198c.101a.19d93e2675d.Coremail.scooct@163.com> <CAOdQrVMv+PhzCc1_=uAqb=qWeF53um5VwnkhPFsSgK40XSt=yw@mail.gmail.com> <907eeced-4878-4d55-b3cb-48ecd6b9a780@nic.cz> <CAHPuVdWog2kHVG_zYDfo_JJjoHaMbyLjf0_j_6iEZ=d5UvReFg@mail.gmail.com> <20260420155622.3f6b2b7e@dataplane.org>
In-Reply-To: <20260420155622.3f6b2b7e@dataplane.org>
From: Shumon Huque <shuque@gmail.com>
Date: Mon, 20 Apr 2026 17:01:29 -0400
X-Gm-Features: AQROBzC-xNUrXpn4qIwGzQXJKFl5Q1qDU1ZzHlgCR_EZtF1xEUXHgGOL_wyuEIs
Message-ID: <CAHPuVdVvRO6V_ZByv-zTFjzF3SFChkkzZLuLz55V5VB1V2OqxA@mail.gmail.com>
To: John Kristoff <jtk=40dataplane.org@dmarc.ietf.org>
Content-Type: multipart/alternative; boundary="000000000000eb5089064fea9a0b"
Message-ID-Hash: WLCFEPNBIUWPGJVN254MELW7KDMWZOB7
X-Message-ID-Hash: WLCFEPNBIUWPGJVN254MELW7KDMWZOB7
X-MailFrom: shuque@gmail.com
X-Mailman-Rule-Misses: dmarc-mitigation; no-senders; approved; emergency; loop; banned-address; member-moderation; header-match-dnsop.ietf.org-0; nonmember-moderation; administrivia; implicit-dest; max-recipients; max-size; news-moderation; no-subject; digests; suspicious-header
CC: dnsop@ietf.org
X-Mailman-Version: 3.3.9rc6
Precedence: list
Subject: [DNSOP] Re: A question regarding DNSSEC validation
List-Id: IETF DNSOP WG mailing list <dnsop.ietf.org>
Archived-At: <https://mailarchive.ietf.org/arch/msg/dnsop/J3tWnV-qo5m2wmMy3KabNDuqlkI>
List-Archive: <https://mailarchive.ietf.org/arch/browse/dnsop>
List-Help: <mailto:dnsop-request@ietf.org?subject=help>
List-Owner: <mailto:dnsop-owner@ietf.org>
List-Post: <mailto:dnsop@ietf.org>
List-Subscribe: <mailto:dnsop-join@ietf.org>
List-Unsubscribe: <mailto:dnsop-leave@ietf.org>

On Mon, Apr 20, 2026 at 4:57 PM John Kristoff <jtk=
40dataplane.org@dmarc.ietf.org> wrote:

> On Mon, 20 Apr 2026 16:17:27 -0400
> Shumon Huque <shuque@gmail.com> wrote:
>
> > The DNS protocol specs do not in my view adequately describe robust
> > retry and failover, and I think they should.
>
> I asked a variation of this question (e.g., if a resolver can't
> validate an answer due to an expired sig) elsewhere where a few
> implementing code hang out. In short, specifications are not entirely
> clear and implementations can differ. Here is some additional detail:
>
> From IETF RFC 1034, Section 5.3.3 Algorithm
>
>   "Step 3 sends out queries until a response is received.  The strategy
>   is to cycle around all of the addresses for all of the servers with a
>   timeout between each transmission."
>
> From IETF RFC 1035, Section 7.2 Sending the queries
>
>   "The key algorithm uses the state information of the request to
>   select the next name server address to query, and also computes a
>   timeout which will cause the next action should a response not
>   arrive.  The next action will usually be a transmission to some other
>   server, but may be a temporary error to the client."
>
> Knot, Bind, and Unbound will retry, but each may have exhibit slightly
> different behavior.
>

Thanks John.

Certainly implementations will differ because of software architecture or
other reasons.

I think that's fine as long as some general principles about retry and
failover can be agreed to be followed.

Shumon.

v2.46.0 | Report a Bug | By Email | System Status