IETF Logo Mail Archive

[DNSOP] Re: A question regarding DNSSEC validation

Ben Schwartz <bemasc@meta.com> Fri, 17 April 2026 15:17 UTC

Return-Path: <prvs=256779e5ca=bemasc@meta.com>
X-Original-To: dnsop@mail2.ietf.org
Delivered-To: dnsop@mail2.ietf.org
Received: from localhost (localhost [127.0.0.1]) by mail2.ietf.org (Postfix) with ESMTP id 0515CDE5381B for <dnsop@mail2.ietf.org>; Fri, 17 Apr 2026 08:17:52 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=ietf.org; s=ietf1; t=1776439072; bh=Mkc1iTuUOVN/8vxd7np9dU56vSUpFHmRdGjlF8qOsns=; h=References:In-Reply-To:From:Date:Subject:To:Cc; b=nxWSDahBR9h5+279ixmC7xhz8TAvVdQISJHjnKNn9YJ0hRsOLwumHUmVQe/f8nlUO AU0ChzUWvlCqQe617GSz0pr8Xb70KwSmqwk3F+vR1ikc/VSR0nq7erUjHBsSf2yUqL O2ujPXV+6QsraH2lZbvMMDfTkoThm+Z19FwrRtzw=
X-Virus-Scanned: amavisd-new at ietf.org
X-Spam-Flag: NO
X-Spam-Score: -1.549
X-Spam-Level:
X-Spam-Status: No, score=-1.549 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, HTML_FONT_LOW_CONTRAST=0.001, HTML_MESSAGE=0.001, NORMAL_HTTP_TO_IP=0.001, NUMERIC_HTTP_ADDR=1.242, RCVD_IN_DNSWL_LOW=-0.7, RCVD_IN_MSPIKE_H3=0.001, RCVD_IN_MSPIKE_WL=0.001, RCVD_IN_VALIDITY_CERTIFIED_BLOCKED=0.001, RCVD_IN_VALIDITY_RPBL_BLOCKED=0.001, SPF_HELO_NONE=0.001, SPF_NONE=0.001] autolearn=ham autolearn_force=no
Authentication-Results: mail2.ietf.org (amavisd-new); dkim=pass (2048-bit key) header.d=meta.com
Received: from mail2.ietf.org ([166.84.6.31]) by localhost (mail2.ietf.org [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id frzHE0R3Q8Du for <dnsop@mail2.ietf.org>; Fri, 17 Apr 2026 08:17:51 -0700 (PDT)
Received: from mx0a-00082601.pphosted.com (mx0a-00082601.pphosted.com [67.231.145.42]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature ECDSA (P-256) server-digest SHA256) (No client certificate requested) by mail2.ietf.org (Postfix) with ESMTPS id 550D2DE53814 for <dnsop@ietf.org>; Fri, 17 Apr 2026 08:17:50 -0700 (PDT)
Received: from pps.filterd (m0044010.ppops.net [127.0.0.1]) by mx0a-00082601.pphosted.com (8.18.1.11/8.18.1.11) with ESMTP id 63HEVPSA3148983 for <dnsop@ietf.org>; Fri, 17 Apr 2026 08:17:48 -0700
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=meta.com; h=cc :content-type:date:from:in-reply-to:message-id:mime-version :references:subject:to; s=s2048-2025-q2; bh=Mkc1iTuUOVN/8vxd7np9 dU56vSUpFHmRdGjlF8qOsns=; b=ffasiWv+jXD1KjSqzz0KPMSS/1MhhMB1A3rZ fSg84iusAgp/W7Fi/7F71ih+Q199JLRj2Fcd/eyIPyaV5d9dFemfatXi9dCwaHF/ nlcnetRmkoN835nPKRYp7uAg4YoDCgZi0wn/7OTLmVqVDaeaiwxqGeWNMIiNTlIB 9tFJsSgrcUkhNW+7sipoG4GAfwI0HOJ0Ry9/8Qllqn9Rh7IhVssu+lAlL6KL2n2o JTVegVhf9VQAv75RtYO8cgiQnrqz8yqsIQ43SVRJ5dkxdsZe20Yky0w9fviLLciv 7HipwzrrMWlBS6BdbQIeliNTgubEpi5t1t67xd/wHNpEJtjhTw==
Received: from mail-yw1-f200.google.com (mail-yw1-f200.google.com [209.85.128.200]) by mx0a-00082601.pphosted.com (PPS) with ESMTPS id 4dh84xmte5-1 (version=TLSv1.3 cipher=TLS_AES_128_GCM_SHA256 bits=128 verify=NOT) for <dnsop@ietf.org>; Fri, 17 Apr 2026 08:17:48 -0700 (PDT)
Received: by mail-yw1-f200.google.com with SMTP id 00721157ae682-799003e8a77so22155587b3.2 for <dnsop@ietf.org>; Fri, 17 Apr 2026 08:17:48 -0700 (PDT)
ARC-Seal: i=1; a=rsa-sha256; t=1776439067; cv=none; d=google.com; s=arc-20240605; b=AoZ6TcSmBLAM3gonKlPHgHTOsBoPJ2TZkG0lTBuLOKMy+5kF9YXp82vkrSZkReieNM WG6nVxNV+jTS6U65W2Uxqc928olcY24oPqKyHVj+mLTidq6lyenNGurzEx+382t17QmK A3n70UMUeBZMI2UxC8EnwmAa1XJ8XFsvmuYkfI5RM7rHiLvqXZ3RhLOT0J8KOej3arhy fL3nTXLz/WOelfVqiGTMd9eqo24rddCzg+XO4VKI2YyA6t60UB6GyvZAeYwh/nOorb3B Fn0ezdPiF6223kZrU4v0l6L/oeqvKN2JsG4DzbIs9n19/AnxsOtYQz/GFI38WL1cNcMg njrQ==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20240605; h=cc:to:subject:message-id:date:from:in-reply-to:references :mime-version; bh=hkWj1QFde/R7znqoRhHB9FbBj42JIFPHeGe7Re+LaeE=; fh=JsUowv7+R1fVtW8dvLtRtPCbftXa1XvqpMF7PUB7y2Y=; b=Kk/9wLfqFOCj5OnC3iQP6J9FsUB2VDIINDgdluI5unFSe6jkMD0UlGEKup5q6mKQcs HCwzVhF2/L3lusdlHpzl0H/cd0qxwlhQITDuQYl+UYAiUBDU+WSCgyFVxoqRvgnYGz5a wTjVGQwzokGBo0bfdpccw2N/30q2dvmTPXNRwpsBrGyMFmPmPMS3XeQ3L9aZjCjUTZUx u4kqrRfSgTeMz2MODd3uYjBw0M78UkT+n7gM+7of00hxOAC8O9H2fdJluPfyMZXf3wP9 S/pBVKMzgDY7IeWFaeuRWw8u2NUyE9hySERfOte8SuGNuRc+Am4q/I9pV/j4N9yC8Lt/ GvBA==; darn=ietf.org
ARC-Authentication-Results: i=1; mx.google.com; arc=none
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20251104; t=1776439067; x=1777043867; h=cc:to:subject:message-id:date:from:in-reply-to:references :mime-version:x-gm-gg:x-gm-message-state:from:to:cc:subject:date :message-id:reply-to; bh=hkWj1QFde/R7znqoRhHB9FbBj42JIFPHeGe7Re+LaeE=; b=nvnX6T7O1k0VZst3fIhynnxMdyiV9dihdPteLOrTgmi10ddMGpymiSNczVJb8HiBfr UgY3MoJpo1Qfzkx+qLls684pv6Cs/oFX/7zSnLg0dSdgmBVRr6GGsmzRpnb1/Bl48xN/ +v/nqGPVumlO4pUNggB2Yh8/JudNDJiH6KOhFpJQ1N+JR4JzDVQGSqHCdqKmubvNqGeO xAo2HAfvHlep5mh5jYbUdzx7ynLdxH/l30OVX3Ze/ObNJotIkuhyKPnftCqdNd5WuDLz yYQzw2EEZSM8j3IMPxryIVDbIPPbwHK8NWiNYZImBYiPWKJ1p27ZrVVecPxyYPbZQ7qN K2Gw==
X-Gm-Message-State: AOJu0Yz5OOzHum7+3bSFAwRm50YKUBV45wi+P2Uf/ZTdfvkUyZAibg6o KEC1BhgS4nXmziIbfvxT5FsXadcy3vJrjtHQc/8Oph2OyCttPc71Bq3oATbkXkEsmTLsagDLLNr pBYYdUM9yyOj/lqIgnGyIgmzNfDTL3Od1uKTW4s97ebnC7ZrdVyrCS0HCRW2eOozNamzqN4CB7+ x3jcyREntEX9EU1f8yMdXvaiMY2u7YwXc=
X-Gm-Gg: AeBDieu+NJm1DUcAeGxTVFMMLw/GZ/cH1O7mRGdWxbC7EkeLLAQJw2AAm8Lqtvo12rd jb5hCg62vzAigMGzYFS1trfDrcidOpDcExKOewyshiWjBR04RMgjdBCWaL0YGpFBkSan21JFTDU Mgi/CeD1witdVkilZZuFSlhkaSis7Qg9PlIaKLGiW1tK/Yy1nK9sdMnKUjlb/2ysyzNGIr2s6ym Hh1y6a/OHdAErQXZIKlCg4MKbtdSOWcCtQjNxPN98p4G1Q=
X-Received: by 2002:a05:690e:43d3:b0:651:c480:ac80 with SMTP id 956f58d0204a3-6531085915fmr2136879d50.23.1776439067441; Fri, 17 Apr 2026 08:17:47 -0700 (PDT)
X-Received: by 2002:a05:690e:43d3:b0:651:c480:ac80 with SMTP id 956f58d0204a3-6531085915fmr2136856d50.23.1776439066891; Fri, 17 Apr 2026 08:17:46 -0700 (PDT)
MIME-Version: 1.0
References: <749d198c.101a.19d93e2675d.Coremail.scooct@163.com>
In-Reply-To: <749d198c.101a.19d93e2675d.Coremail.scooct@163.com>
From: Ben Schwartz <bemasc@meta.com>
Date: Fri, 17 Apr 2026 11:17:36 -0400
X-Gm-Features: AQROBzD3kLpfpfFej0prmHsZRAfXm_po0gWpDEeyLpPs843kJ-6dJlxvijSJjjk
Message-ID: <CAOdQrVMv+PhzCc1_=uAqb=qWeF53um5VwnkhPFsSgK40XSt=yw@mail.gmail.com>
To: Cathy Zhang <scooct@163.com>
Content-Type: multipart/alternative; boundary="0000000000008c2b1a064fa973ae"
X-Proofpoint-ORIG-GUID: 7hq2yLRJtxR0Q9dCE9a3gGIlNArtjiOd
X-Authority-Analysis: v=2.4 cv=RJiD2Yi+ c=1 sm=1 tr=0 ts=69e24f1c cx=c_pps a=NMvoxGxYzVyQPkMeJjVPKg==:117 a=A5OVakUREuEA:10 a=VkNPw1HP01LnGYTKEx00:22 a=7x6HtfJdh03M6CCDgxCd:22 a=8elwO82fXORLTBIkMd32:22 a=48vgC7mUAAAA:8 a=X3u5u7z-AAAA:8 a=Byx-y9mGAAAA:8 a=zhzIpnmQmBo0AmgbqGAA:9 a=QEXdDO2ut3YA:10 a=DtCx2tnfAAAA:8 a=fOkfXVFbCzHA36N2X4wA:9 a=2q4O/K3rjNU7EHYdBHB6dYyilSc=:19 a=YYbsRjFS_eNxBVXG:21 a=lqcHg5cX4UMA:10 a=kLokIza1BN8a-hAJ3hfR:22 a=Ioooz8OtxR6h9fUIJChY:22 a=7osCGltbDolD-WFjxYRI:22
X-Proofpoint-GUID: 7hq2yLRJtxR0Q9dCE9a3gGIlNArtjiOd
X-Proofpoint-Spam-Details-Enc: AW1haW4tMjYwNDE3MDE1NCBTYWx0ZWRfX0vi7R+JBvL/I iw2sKX4UlkFc1SJAgfwNIeDjPJHAVJoPXrQI7ktMryPVIVQxE32degR93bQPQNFDUeEnOay+/GY 9qVn1OAZKEGB/wRc/7YlMVM2RKAmxUn8chY29yFACvzfsrKPbx/DKva/Umwfw/dmaHrYkOOmp4N OipE+/4F/8RF/wRuNz9h80eWxcym12UTzBIvVcjo0VDHcROQHygP+oH+NzrbqY1pM0mAUJF8jne 24053UbYOSsboqwwEhXo9hw9BRBtX+xq4AXHQv07yjbi9J6psWi4ds1plyZ21tLMba98Qkc+naN FOy5CK4eL3KenMi4K6tM+LWZstwmFiVVmqoaB4KO4QP+nVRyJtkmH0oLXYjHdi25EzXIpU8/sD6 8UzUbSdVXEUdBv0Z+fcyrxRW3r8ePBYu6JrSWkNzEcfJS+JuNhZ+VbIptvo2E2DKiKEnx0RENHl DYkxrp7diDYmZ1f0LBQ==
X-Proofpoint-Virus-Version: vendor=baseguard engine=ICAP:2.0.293,Aquarius:18.0.1143,Hydra:6.1.51,FMLib:17.12.100.49 definitions=2026-04-17_01,2026-04-17_04,2025-10-01_01
Message-ID-Hash: HHLZOQEMA5T2Q3WPUOVPNVPRSOXUVGGO
X-Message-ID-Hash: HHLZOQEMA5T2Q3WPUOVPNVPRSOXUVGGO
X-MailFrom: prvs=256779e5ca=bemasc@meta.com
X-Mailman-Rule-Misses: dmarc-mitigation; no-senders; approved; emergency; loop; banned-address; member-moderation; header-match-dnsop.ietf.org-0; nonmember-moderation; administrivia; implicit-dest; max-recipients; max-size; news-moderation; no-subject; digests; suspicious-header
CC: dnsop@ietf.org
X-Mailman-Version: 3.3.9rc6
Precedence: list
Subject: [DNSOP] Re: A question regarding DNSSEC validation
List-Id: IETF DNSOP WG mailing list <dnsop.ietf.org>
Archived-At: <https://mailarchive.ietf.org/arch/msg/dnsop/rJc89ltAK5C11R_9eP9jBWyd4tA>
List-Archive: <https://mailarchive.ietf.org/arch/browse/dnsop>
List-Help: <mailto:dnsop-request@ietf.org?subject=help>
List-Owner: <mailto:dnsop-owner@ietf.org>
List-Post: <mailto:dnsop@ietf.org>
List-Subscribe: <mailto:dnsop-join@ietf.org>
List-Unsubscribe: <mailto:dnsop-leave@ietf.org>

Yes, it will return SERVFAIL (RCODE 2):
https://datatracker.ietf.org/doc/html/rfc4035#section-5.5.

% dig @9.9.9.9 dnssec-failed.org

; <<>> DiG 9.10.6 <<>> @9.9.9.9 dnssec-failed.org
; (1 server found)
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: SERVFAIL, id: 47094
...

On Wed, Apr 15, 2026 at 9:23 PM Cathy Zhang <scooct@163.com> wrote:

> Hi all, I have a question regarding DNSSEC that I would appreciate your
> advice on. When DNSSEC validation is enabled on a recursive resolver, if a
> response is received with a missing or invalid RRSIG, what will the
> resolver do? Will it return
> 
> Hi all,
>
> I have a question regarding DNSSEC that I would appreciate your advice on.
>
> When DNSSEC validation is enabled on a recursive resolver, if a response
> is received with a missing or invalid RRSIG, what will the resolver do?
> Will it return SERVFAIL to the client, or wait a while longer to see if a
> verifiable response can be received?
>
> BR,
> Cathy
> _______________________________________________
> DNSOP mailing list -- dnsop@ietf.org
> To unsubscribe send an email to dnsop-leave@ietf.org
>

v2.46.0 | Report a Bug | By Email | System Status