On Tue, 28 Apr 2020, Davey Song wrote:
As far as I know, in DNSSEC the validating resolver is able to identify a Bad response if signatures do not validate. But it unable to retrieve the good one for stub resolver if there are other alternatives.
I think you mean if you receive a BOGUS validation result (eg missing RRSIG records, or otherwise are not getting the records needed for proof of non-existance or signatures. In that case, I think the existing DNS protocol already tells you to try other servers?
I'm thinking about a draft proposal if signatures do not validate, the validating resolver can try other resolution path like DoT or DoH directly to authoritative servers or other public DNS servers which open the DNS encryption service. It aims to work around the resolution path where DNS hijack happened.
This looks exactly what the ADD working group is working on? The only difference is instead of prefering some more private mechanism, you only prefer the more private mechanism upon some failure case? And I think that really comes down to the original politics of who decides where and when to not use the local resolver. And we are already in a heavy stale-mate there. Paul _______________________________________________ DNSOP mailing list DNSOP@ietf.org https://www.ietf.org/mailman/listinfo/dnsop