[DNSOP] Re: A question regarding DNSSEC validation

Shumon Huque <shuque@gmail.com> Tue, 21 April 2026 19:42 UTC

MIME-Version: 1.0
References: <749d198c.101a.19d93e2675d.Coremail.scooct@163.com> <CAOdQrVMv+PhzCc1_=uAqb=qWeF53um5VwnkhPFsSgK40XSt=yw@mail.gmail.com> <907eeced-4878-4d55-b3cb-48ecd6b9a780@nic.cz> <CAHPuVdWog2kHVG_zYDfo_JJjoHaMbyLjf0_j_6iEZ=d5UvReFg@mail.gmail.com> <BEFAB35F-B622-4395-88CD-F3B616C62254@gmail.com>
In-Reply-To: <BEFAB35F-B622-4395-88CD-F3B616C62254@gmail.com>
From: Shumon Huque <shuque@gmail.com>
Date: Tue, 21 Apr 2026 15:41:04 -0400
Message-ID: <CAHPuVdUjoYz7P1-eZBC+-wci5W_6fK5UaJ-trPxMe4Jv8w9xbA@mail.gmail.com>
To: Edward Lewis <eppdnsprotocols@gmail.com>
Content-Type: multipart/alternative; boundary="0000000000003c76ef064ffd9962"
Message-ID-Hash: Z43V4Z3G4ZIFNGHBWW3RXOQJGBJVSZZL
CC: Libor Peltan <libor.peltan=40nic.cz@dmarc.ietf.org>, dnsop <dnsop@ietf.org>, Ben Schwartz <bemasc=40meta.com@dmarc.ietf.org>, Cathy Zhang <scooct@163.com>
Precedence: list
Subject: [DNSOP] Re: A question regarding DNSSEC validation
Archived-At: <https://mailarchive.ietf.org/arch/msg/dnsop/KyWCzeo0E3qQELIYSymujwkdr1k>

On Tue, Apr 21, 2026 at 2:35 PM Edward Lewis <eppdnsprotocols@gmail.com>
wrote:

> On Apr 20, 2026, at 4:17 PM, Shumon Huque <shuque@gmail.com> wrote:
> >
> > It would be nice if I could concretely point people to a specification
> document that says how to do this correctly.
>
> That might be over-specifying.  The IETF documents target
> interoperability, historically not conformance.
>
> Leaving implementers wiggle room in handling anomalies is a good thing as
> the nature of root causes is ever evolving.
>

Hi Ed, I'm not proposing to over-specify anything or to go into
implementation details.

I'm proposing to clearly state some general principles for robust resolver
behavior. For example, that resolvers should re-query other name servers
for the zone when they get erroneous responses, such as unvalidatable
answers (invalid/missing/expired signatures, erroneous response codes,
etc). Is this a controversial position? Unless I've missed it, this does
not seem to be clearly addressed today anywhere in the DNS specs.

Shumon.

[DNSOP] A question regarding DNSSEC validation Cathy Zhang
[DNSOP] Re: A question regarding DNSSEC validation Libor Peltan
[DNSOP] Re: A question regarding DNSSEC validation Ben Schwartz
[DNSOP] Re: A question regarding DNSSEC validation Mukund Sivaraman
[DNSOP] Re: A question regarding DNSSEC validation Edward Lewis
[DNSOP] Re: A question regarding DNSSEC validation Cathy Zhang
[DNSOP] Re: A question regarding DNSSEC validation Edward Lewis
[DNSOP] Re: A question regarding DNSSEC validation Philip Homburg
[DNSOP] Re: A question regarding DNSSEC validation Shumon Huque
[DNSOP] Re: A question regarding DNSSEC validation Philip Homburg
[DNSOP] Re: A question regarding DNSSEC validation Edward Lewis
[DNSOP] Re: A question regarding DNSSEC validation Shumon Huque
[DNSOP] Re: A question regarding DNSSEC validation John Levine
[DNSOP] Re: A question regarding DNSSEC validation Ben Schwartz
[DNSOP] Re: A question regarding DNSSEC validation John Kristoff
[DNSOP] Re: A question regarding DNSSEC validation Shumon Huque
[DNSOP] Re: A question regarding DNSSEC validation Michael Richardson
[DNSOP] Re: A question regarding DNSSEC validation John Kristoff
[DNSOP] Re: A question regarding DNSSEC validation Philip Homburg
[DNSOP] Re: A question regarding DNSSEC validation Mark Andrews
[DNSOP] Re: A question regarding DNSSEC validation Ondřej Surý
[DNSOP] Re: A question regarding DNSSEC validation Mukund Sivaraman
[DNSOP] Re: A question regarding DNSSEC validation Shumon Huque
[DNSOP] Re: A question regarding DNSSEC validation Ben Schwartz