[DNSOP] Re: A question regarding DNSSEC validation
Ondřej Surý <ondrej@sury.org> Tue, 21 April 2026 21:17 UTC
Return-Path: <ondrej@sury.org>
X-Original-To: dnsop@mail2.ietf.org
Delivered-To: dnsop@mail2.ietf.org
Received: from localhost (localhost [127.0.0.1]) by mail2.ietf.org (Postfix) with ESMTP id 49041E05EF14 for <dnsop@mail2.ietf.org>; Tue, 21 Apr 2026 14:17:42 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=ietf.org; s=ietf1; t=1776806262; bh=3qp1S8NrBB78650KgQ15oQRXPYP3wj2SiPzLlRShgMk=; h=From:Subject:Date:References:Cc:In-Reply-To:To; b=OER8MXlEj/j2N81nSdpFWc92lrtxz9KmqH685ueQsE1phz+ffJDUArH7scTdapX1W HrNFq7aWJ5ajy8YL6AYWH9sj9Q1qOxnDfWuTO29tln/M4oHuF3L2z+ckPgAFViB7je Rgm9cfuewEDfEZQynt/CIb5mhBsGVVvh4Z9G5tkU=
X-Virus-Scanned: amavisd-new at ietf.org
X-Spam-Flag: NO
X-Spam-Score: -2.799
X-Spam-Level:
X-Spam-Status: No, score=-2.799 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, RCVD_IN_DNSWL_LOW=-0.7, RCVD_IN_VALIDITY_CERTIFIED_BLOCKED=0.001, RCVD_IN_VALIDITY_RPBL_BLOCKED=0.001, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Authentication-Results: mail2.ietf.org (amavisd-new); dkim=pass (2048-bit key) header.d=sury.org header.b="LRe1qHiZ"; dkim=pass (2048-bit key) header.d=messagingengine.com header.b="jFxHU1oW"
Received: from mail2.ietf.org ([166.84.6.31]) by localhost (mail2.ietf.org [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id LMvydCzpio6n for <dnsop@mail2.ietf.org>; Tue, 21 Apr 2026 14:17:41 -0700 (PDT)
Received: from fout-a1-smtp.messagingengine.com (fout-a1-smtp.messagingengine.com [103.168.172.144]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature ECDSA (P-256)) (No client certificate requested) by mail2.ietf.org (Postfix) with ESMTPS id 4F91DE05E7C7 for <dnsop@ietf.org>; Tue, 21 Apr 2026 14:15:38 -0700 (PDT)
Received: from phl-compute-06.internal (phl-compute-06.internal [10.202.2.46]) by mailfout.phl.internal (Postfix) with ESMTP id 2BC45EC00D1; Tue, 21 Apr 2026 17:15:38 -0400 (EDT)
Received: from phl-frontend-04 ([10.202.2.163]) by phl-compute-06.internal (MEProxy); Tue, 21 Apr 2026 17:15:38 -0400
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=sury.org; h=cc :cc:content-transfer-encoding:content-type:content-type:date :date:from:from:in-reply-to:in-reply-to:message-id:mime-version :references:reply-to:subject:subject:to:to; s=fm3; t=1776806138; x=1776892538; bh=3qp1S8NrBB78650KgQ15oQRXPYP3wj2SiPzLlRShgMk=; b= LRe1qHiZN7cJD6KW70KwPEkE7b7AVkVOgXCjQ6zpSr7RWIsmFC/3ET035qJsMmai Oxqn6GrDSKPbE58EUy7f8gQ3Dr2nINJmmXXj7gfxuaHNmmPe6iCbe5VwpIfAeBvA sgSg7i35MwbEd8oCL6I6WOP5A8LHyahgZpqPNXYmP7DFRPSMqQ059zWl0RYwZ05Q avjlz1YBI+lsqCltNlbMyL/QHTa2ZS7tmmauf+p8xrJ7/cR8fWRcziUEkKMls8W5 lB6qODKkQh2+Sc8G2X1p2Vs6+YZ8v2fp4mlbcPowHHSWXRudsWUww3Tkbg3k1bZO reUGoLGm+kvsZuewIIDe/A==
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d= messagingengine.com; h=cc:cc:content-transfer-encoding :content-type:content-type:date:date:feedback-id:feedback-id :from:from:in-reply-to:in-reply-to:message-id:mime-version :references:reply-to:subject:subject:to:to:x-me-proxy :x-me-sender:x-me-sender:x-sasl-enc; s=fm2; t=1776806138; x= 1776892538; bh=3qp1S8NrBB78650KgQ15oQRXPYP3wj2SiPzLlRShgMk=; b=j FxHU1oWU9lxSrZJAjDJTptaCNfAi2LeQL4A06hGudTl4I2lBdLGt+UnWtxVYA5Vd MAy92VsmomOIV4KkALVpgs7f4eplLbwjH+GMZtMuc/n3/ncr8WyOl1SVU2hOj32D eCFO43hTZVKmHLZ3xHv+NRJuWQA3uO2OKQitr44BIc/kJJAlqDrSqwIKc/jDZSaM fRSg8AKrc0v18SycE7l+oNWB1ORMgbV4bXxArXwHXv1vRgPY1se5lx8Ixc/BbUxc CNS1XFLaW+AVnky18iIUjUMBZ0CDHRp9xnvfMSzogo5RQHlimosN7BqD3tOKc2hw zxxPoMJtW0aRdhngD6c7g==
X-ME-Sender: <xms:-ejnaZkeeyUaGu4wtnfsJBwxpPZ2HXb7LwyV4E43AhlnkIZBbOeqVg> <xme:-ejnaRJqoDe416-J7GE0MK0Paz9c7gBaRDCsvtk_5LZ7a7q0sa4WkzsUMVzUbEhkb HC9Cr-e6vS-AC1MmPaVlwUlRZUpRbYdvgwW1-xaEVZDvVDDZFUGOXBk>
X-ME-Received: <xmr:-ejnaSZfMELy8qqXB2yOZlOnQDuSPnTX_DD_8O9nyFtWl3dhN6xIPrYSqz-IV9skMSKHGOpPcU8S5S0u8uKo__IFgUR6xUxp9W-ygTZt0xSS>
X-ME-Proxy-Cause: gggruggvucftvghtrhhoucdtuddrgeefhedrtddtgdeivdeggecutefuodetggdotefrod ftvfcurfhrohhfihhlvgemucfhrghsthforghilhdpuffrtefokffrpgfnqfghnecuuegr ihhlohhuthemuceftddtnecunecujfgurheptgfghfggufffkfhfvegjvffosehtqhhmtd hhtdejnecuhfhrohhmpefqnhgurhgvjhcuufhurhpuuceoohhnughrvghjsehsuhhrhidr ohhrgheqnecuggftrfgrthhtvghrnhepgeelueekudfgkefftdetteevheevgfdtieejie ektdehgeeiveehgfegjefgieefnecuvehluhhsthgvrhfuihiivgeptdenucfrrghrrghm pehmrghilhhfrhhomhepohhnughrvghjsehsuhhrhidrohhrghdpnhgspghrtghpthhtoh epvddpmhhouggvpehsmhhtphhouhhtpdhrtghpthhtohepughnshhophesihgvthhfrdho rhhgpdhrtghpthhtohepmhgtrhdoihgvthhfsehsrghnuggvlhhmrghnrdgtrg
X-ME-Proxy: <xmx:-ejnabZGsCeNZ0kKuxjhPnyGe8OBdW_FPWKN1GUPOgvuWmfjygHDIQ> <xmx:-ejnaamVpn3RDrabg8RedZNRQxQCNMHjA9NSvmanRKlnF1CQbYVZIA> <xmx:-ejnafzXCdilbyldRQ-525tsj6SBFnP1l0Nc5zYmFeSrKxfzZh1gEQ> <xmx:-ejnaQPcU2JTBmkHobMAPl4SPOJfCukA2G2a_rLXW-D7cEK3tfZsjw> <xmx:-ujnaU4MPZNKkK8AmM4NXWUbVwiA8Klm6n1FDP853Uj8YNqNDoZoR4Zc>
Feedback-ID: ida81469e:Fastmail
Received: by mail.messagingengine.com (Postfix) with ESMTPA; Tue, 21 Apr 2026 17:15:37 -0400 (EDT)
Content-Type: text/plain; charset="utf-8"
Content-Transfer-Encoding: quoted-printable
From: Ondřej Surý <ondrej@sury.org>
Mime-Version: 1.0 (1.0)
Date: Tue, 21 Apr 2026 23:15:25 +0200
Message-Id: <51085F2D-8DAA-4EF3-BCAB-6DF8B0D3691E@sury.org>
References: <15620.1776795350@obiwan.sandelman.ca>
In-Reply-To: <15620.1776795350@obiwan.sandelman.ca>
To: Michael Richardson <mcr+ietf@sandelman.ca>
X-Mailer: iPhone Mail (23E254)
Message-ID-Hash: N5JNU6O3HSNIW5ZCNKY63QQH3IAE5VXW
X-Message-ID-Hash: N5JNU6O3HSNIW5ZCNKY63QQH3IAE5VXW
X-MailFrom: ondrej@sury.org
X-Mailman-Rule-Misses: dmarc-mitigation; no-senders; approved; emergency; loop; banned-address; member-moderation; header-match-dnsop.ietf.org-0; nonmember-moderation; administrivia; implicit-dest; max-recipients; max-size; news-moderation; no-subject; digests; suspicious-header
CC: dnsop@ietf.org
X-Mailman-Version: 3.3.9rc6
Precedence: list
Subject: [DNSOP] Re: A question regarding DNSSEC validation
List-Id: IETF DNSOP WG mailing list <dnsop.ietf.org>
Archived-At: <https://mailarchive.ietf.org/arch/msg/dnsop/k5e0UvRYeEgaPeGv1acN1Zb3Wi4>
List-Archive: <https://mailarchive.ietf.org/arch/browse/dnsop>
List-Help: <mailto:dnsop-request@ietf.org?subject=help>
List-Owner: <mailto:dnsop-owner@ietf.org>
List-Post: <mailto:dnsop@ietf.org>
List-Subscribe: <mailto:dnsop-join@ietf.org>
List-Unsubscribe: <mailto:dnsop-leave@ietf.org>
> On 21. 4. 2026, at 20:17, Michael Richardson <mcr+ietf@sandelman.ca> wrote: > > It would be nice if rather than immediate SERVFAIL, if resolvers could go > back to all the nameservers that failed DNSSEC and try again. > Better if they could keep that query state open for the correct reply. That’s pretty nice attack vector to make the resolver do more and more work by malicious set of nameservers. So… no, thank you. Any design where attacker can force the resolver to issue more outgoing queries is inherently broken. Ondrej -- Ondřej Surý (He/Him) A gentle nudge is always appreciated if I take a little longer to reply.
- [DNSOP] A question regarding DNSSEC validation Cathy Zhang
- [DNSOP] Re: A question regarding DNSSEC validation Libor Peltan
- [DNSOP] Re: A question regarding DNSSEC validation Ben Schwartz
- [DNSOP] Re: A question regarding DNSSEC validation Mukund Sivaraman
- [DNSOP] Re: A question regarding DNSSEC validation Edward Lewis
- [DNSOP] Re: A question regarding DNSSEC validation Cathy Zhang
- [DNSOP] Re: A question regarding DNSSEC validation Edward Lewis
- [DNSOP] Re: A question regarding DNSSEC validation Philip Homburg
- [DNSOP] Re: A question regarding DNSSEC validation Shumon Huque
- [DNSOP] Re: A question regarding DNSSEC validation Philip Homburg
- [DNSOP] Re: A question regarding DNSSEC validation Edward Lewis
- [DNSOP] Re: A question regarding DNSSEC validation Shumon Huque
- [DNSOP] Re: A question regarding DNSSEC validation John Levine
- [DNSOP] Re: A question regarding DNSSEC validation Ben Schwartz
- [DNSOP] Re: A question regarding DNSSEC validation John Kristoff
- [DNSOP] Re: A question regarding DNSSEC validation Shumon Huque
- [DNSOP] Re: A question regarding DNSSEC validation Michael Richardson
- [DNSOP] Re: A question regarding DNSSEC validation John Kristoff
- [DNSOP] Re: A question regarding DNSSEC validation Philip Homburg
- [DNSOP] Re: A question regarding DNSSEC validation Mark Andrews
- [DNSOP] Re: A question regarding DNSSEC validation Ondřej Surý
- [DNSOP] Re: A question regarding DNSSEC validation Mukund Sivaraman
- [DNSOP] Re: A question regarding DNSSEC validation Shumon Huque
- [DNSOP] Re: A question regarding DNSSEC validation Ben Schwartz