Any reaction to this CircleID article ?
http://www.circleid.com/posts/dns_resolvers_and_dnssec_roll_over_and_die/
It seems that BIND and Unbound can
"enter a mode of sustained, repeated and very rapid querying of DNS servers
for DNSKEY and RRSIG Resource records, causing potential problems for both DNS
servers and resolvers."
when configured with out of date trust anchors.
It seems to me that caching is required when data fails to validate, to avoid
possible operational problems.
I had assumed that the validation component of a validating resolver would be
independent of the cache.
Is there a mis-conceived attempt to prevent DoS attacks here?
George
_______________________________________________
DNSOP mailing list
DNSOP@ietf.org
https://www.ietf.org/mailman/listinfo/dnsop
