On Tue, 28 Apr 2020, Davey Song wrote:

As far as I know, in DNSSEC the validating resolver is able to identify a Bad 
response if signatures do not validate. But it unable to retrieve the good
one for stub resolver if there are other alternatives. 

I think you mean if you receive a BOGUS validation result (eg missing
RRSIG records, or otherwise are not getting the records needed for proof
of non-existance or signatures. In that case, I think the existing
DNS protocol already tells you to try other servers?

I'm thinking about a draft proposal if signatures do not validate, the 
validating resolver can try other resolution path like DoT or DoH directly to
authoritative servers or other public DNS servers which open the DNS encryption 
service. It aims to  work around the resolution path where DNS
hijack happened. 

This looks exactly what the ADD working group is working on? The only
difference is instead of prefering some more private mechanism, you
only prefer the more private mechanism upon some failure case? And
I think that really comes down to the original politics of who decides
where and when to not use the local resolver. And we are already in
a heavy stale-mate there.

Paul

_______________________________________________
DNSOP mailing list
DNSOP@ietf.org
https://www.ietf.org/mailman/listinfo/dnsop

Reply via email to