On Tue, Apr 28, 2020 at 9:48 AM Davey Song <songlinj...@gmail.com> wrote:
> > I think you mean if you receive a BOGUS validation result (eg missing >> RRSIG records, or otherwise are not getting the records needed for proof >> of non-existance or signatures. In that case, I think the existing >> DNS protocol already tells you to try other servers? >> > > According to RFC4035 section 5.5, there is no retry to other servers. > That language could probably use some clarification. I would interpret "if .. none of the RRSIGs can be validated" as "if .. none of the RRSIGs can be validated from _any_ of the authority servers". In practice, every validating resolver I'm familiar with will retry other servers upon signature validation failure. Otherwise, we would have a very fragile system - an adversary would just have to be able to intercept one path between resolver and one of the authority servers for a zone to cause resolution failure. Shumon.
_______________________________________________ DNSOP mailing list DNSOP@ietf.org https://www.ietf.org/mailman/listinfo/dnsop
