That language could probably use some clarification. I would interpret > "if .. none of the RRSIGs can be validated" as "if .. none of the RRSIGs > can be validated from _any_ of the authority servers". In practice, every > validating resolver I'm familiar with will retry other servers upon > signature > validation failure. >
OK. It make sense to try every name servers to defend the case if the adversary only intercept one path. But the adversary also know the resolver will retry other servers. So a smarter adversary may intercept in the aggregated upstreaming path where all queries are sent. Otherwise, we would have a very fragile system - an > adversary would just have to be able to intercept one path between resolver > and one of the authority servers for a zone to cause resolution failure. > Davey >
_______________________________________________ DNSOP mailing list DNSOP@ietf.org https://www.ietf.org/mailman/listinfo/dnsop