IETF Logo Mail Archive

[DNSOP] Re: A question regarding DNSSEC validation

Michael Richardson <mcr+ietf@sandelman.ca> Tue, 21 April 2026 18:16 UTC

Return-Path: <mcr+ietf@sandelman.ca>
X-Original-To: dnsop@mail2.ietf.org
Delivered-To: dnsop@mail2.ietf.org
Received: from localhost (localhost [127.0.0.1]) by mail2.ietf.org (Postfix) with ESMTP id AD1F2E0409B6 for <dnsop@mail2.ietf.org>; Tue, 21 Apr 2026 11:16:26 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=ietf.org; s=ietf1; t=1776795386; bh=r2t+a0+5YAwwGUFB+0P1QTh+OgIK1CT6Z1zl6jyubqU=; h=From:To:Subject:In-Reply-To:References:Date; b=sQznbdcn2udI7WIYi94M2W1ikx/xVwLDmTMWFcUkDhckGc10k0n1vGa4Wx0XNFCAr OEKgsxGGYu5K8dez5SrRf0CalQZPPBq8ldTwnqiJUaa3NR3NTFXN5A1nhrv9gl5NwY /x89aF6KgIUIvWPDAU8gW3qdiA1xe55ALU4VgRGM=
X-Virus-Scanned: amavisd-new at ietf.org
X-Spam-Flag: NO
X-Spam-Score: -2.098
X-Spam-Level:
X-Spam-Status: No, score=-2.098 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, RCVD_IN_VALIDITY_CERTIFIED_BLOCKED=0.001, RCVD_IN_VALIDITY_RPBL_BLOCKED=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Authentication-Results: mail2.ietf.org (amavisd-new); dkim=pass (2048-bit key) header.d=sandelman.ca
Received: from mail2.ietf.org ([166.84.6.31]) by localhost (mail2.ietf.org [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id ttPifhbpcKWk for <dnsop@mail2.ietf.org>; Tue, 21 Apr 2026 11:16:26 -0700 (PDT)
Received: from tuna.sandelman.ca (tuna.sandelman.ca [209.87.249.19]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature ECDSA (P-256) server-digest SHA256) (No client certificate requested) by mail2.ietf.org (Postfix) with ESMTPS id B6D40E040960 for <dnsop@ietf.org>; Tue, 21 Apr 2026 11:15:59 -0700 (PDT)
Received: from localhost (localhost [127.0.0.1]) by tuna.sandelman.ca (Postfix) with ESMTP id 3C6B839F57 for <dnsop@ietf.org>; Tue, 21 Apr 2026 14:15:53 -0400 (EDT)
Received: from tuna.sandelman.ca ([127.0.0.1]) by localhost (localhost [127.0.0.1]) (amavis, port 10024) with LMTP id k2I3ujOSqWpo for <dnsop@ietf.org>; Tue, 21 Apr 2026 14:15:51 -0400 (EDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=sandelman.ca; s=mail; t=1776795351; bh=aPxLruVAZHPqLfNA1tWvlWhCP6ZBlZHbIix+gsbYr7E=; h=From:To:Subject:In-Reply-To:References:Date:From; b=xG8iDwSqnDVktMUuU9tNiI8ZQ1VQ54oCZ0oEA2T8EhTvev29ASzzLTI0wUX7KmFYy 6m0sgyAItmyJH6kSgu4BddMav+IFq8XrpUSFdo7XiLU/+cvGc0vhhr6oVawg4CFWNK jgLyjO2gizQ5zShhu4vD7dtjNh5/e48Mg+z5YypSNstM+QTI8ZVUIdwoLPG/bEQWtg iaggo8J3PA7JiwtA0SZ2VbpI20uI+PXv1uDEDwwu1uL9lRlquFQWwdwdvkjXGeslh8 b+aoMtuLtZNFRjMWsMAuNRZUkI5pE7f1FAiDEooGj1XoW150rxq7uMpVPmrpOCPh+L g/kAu5q/CV4fA==
Received: from sandelman.ca (obiwan.sandelman.ca [IPv6:2607:f0b0:f:2::247]) by tuna.sandelman.ca (Postfix) with ESMTP id 0343039EAF for <dnsop@ietf.org>; Tue, 21 Apr 2026 14:15:51 -0400 (EDT)
Received: from obiwan.sandelman.ca (obiwan.sandelman.ca [127.0.0.1]) by sandelman.ca (Postfix) with ESMTP id 00103177 for <dnsop@ietf.org>; Tue, 21 Apr 2026 14:15:50 -0400 (EDT)
From: Michael Richardson <mcr+ietf@sandelman.ca>
To: dnsop@ietf.org
In-Reply-To: <CAHPuVdWog2kHVG_zYDfo_JJjoHaMbyLjf0_j_6iEZ=d5UvReFg@mail.gmail.com>
References: <749d198c.101a.19d93e2675d.Coremail.scooct@163.com> <CAOdQrVMv+PhzCc1_=uAqb=qWeF53um5VwnkhPFsSgK40XSt=yw@mail.gmail.com> <907eeced-4878-4d55-b3cb-48ecd6b9a780@nic.cz> <CAHPuVdWog2kHVG_zYDfo_JJjoHaMbyLjf0_j_6iEZ=d5UvReFg@mail.gmail.com>
X-Mailer: MH-E 8.6+git; nmh 1.8+dev; Emacs 30.1
X-Face: $\n1pF)h^`}$H>Hk{L"x@)JS7<%Az}5RyS@k9X%29-lHB$Ti.V>2bi.~ehC0;<'$9xN5Ub# z!G,p`nR&p7Fz@^UXIn156S8.~^@MJ*mMsD7=QFeq%AL4m<nPbLgmtKK-5dC@#:k
MIME-Version: 1.0
Content-Type: multipart/signed; boundary="=-=-="; micalg="pgp-sha512"; protocol="application/pgp-signature"
Date: Tue, 21 Apr 2026 14:15:50 -0400
Message-ID: <15620.1776795350@obiwan.sandelman.ca>
Message-ID-Hash: ZFO6SGCVHBI7GCU5KGI7HDYTPBBQD5EN
X-Message-ID-Hash: ZFO6SGCVHBI7GCU5KGI7HDYTPBBQD5EN
X-MailFrom: mcr+ietf@sandelman.ca
X-Mailman-Rule-Misses: dmarc-mitigation; no-senders; approved; emergency; loop; banned-address; member-moderation; header-match-dnsop.ietf.org-0; nonmember-moderation; administrivia; implicit-dest; max-recipients; max-size; news-moderation; no-subject; digests; suspicious-header
X-Mailman-Version: 3.3.9rc6
Precedence: list
Subject: [DNSOP] Re: A question regarding DNSSEC validation
List-Id: IETF DNSOP WG mailing list <dnsop.ietf.org>
Archived-At: <https://mailarchive.ietf.org/arch/msg/dnsop/bs5GzjBOZ-IoxE06FO949U_GMqk>
List-Archive: <https://mailarchive.ietf.org/arch/browse/dnsop>
List-Help: <mailto:dnsop-request@ietf.org?subject=help>
List-Owner: <mailto:dnsop-owner@ietf.org>
List-Post: <mailto:dnsop@ietf.org>
List-Subscribe: <mailto:dnsop-join@ietf.org>
List-Unsubscribe: <mailto:dnsop-leave@ietf.org>

Shumon Huque <shuque@gmail.com> wrote:
    > I agree with Philip's later comments on the thread that "attacks" that
    > attempt to falsify responses appear to be relatively rare (though how
    > can we know for sure, because they are often very targeted). But

I am surprised to learn this.
I thought that they used to common, off path attacker could guess the
query-id, and would race the answer.  Maybe we've gotten the query ids to be
sufficiently random now such attacks are impractical?

It would be nice if rather than immediate SERVFAIL, if resolvers could go
back to all the nameservers that failed DNSSEC and try again.
Better if they could keep that query state open for the correct reply.

I can well believe that many security devices let a single answer in, and
then close the pinhole... and that's broken.  Both because of DNSSEC, but
probably they also discard non-initial fragments.


-- 
Michael Richardson <mcr+IETF@sandelman.ca>   . o O ( IPv6 IøT consulting )
           Sandelman Software Works Inc, Ottawa and Worldwide

**       My working hours and your working hours may be different.         **
** Please do not feel obligated to reply outside your normal working hours **

v2.46.0 | Report a Bug | By Email | System Status