That language could probably use some clarification. I would interpret
> "if .. none of the RRSIGs can be validated" as "if .. none of the RRSIGs
> can be validated from _any_ of the authority servers". In practice, every
> validating resolver I'm familiar with will retry other servers upon
> signature
> validation failure.
>

OK. It make sense to try every name servers to defend the case if the
adversary only intercept one path. But the adversary also know the resolver
will retry other servers. So a smarter adversary may intercept in the
aggregated upstreaming path where all queries are sent.

Otherwise, we would have a very fragile system - an
> adversary would just have to be able to intercept one path between resolver
> and one of the authority servers for a zone to cause resolution failure.
>

Davey

>
_______________________________________________
DNSOP mailing list
DNSOP@ietf.org
https://www.ietf.org/mailman/listinfo/dnsop

Reply via email to