> On 9 Dec 2021, at 00:36, Philip Homburg <pch-dnso...@u-1.phicoh.com> wrote: > >> Also stop hiding this >> breakage. Knot and unbound ignore the NSEC records which trigger >> this when synthesising. All it does is push the problem down the >> road and makes it harder for others to do proper synthesis based >> on the records returned. > > I did some tests with unbound (version 1.13.1-1 on Debian Bullseye). > > For types other than 'A', the behavior is quite simple: if both > DNSSEC validation (auto-trust-anchor-file) and aggressive-nsec are enabled > then unbound will synthesize NODATA based on a cached NSEC record. > Both are off by default. > > For A records the situation is more complex. If qname-minimisation is off, > then the same applies to A records. However if qname-minimisation is on (and > it is on the default) then unbound will internally generate A record > queries. So the A record will be cached before the NSEC record. > > So in the case of Slack, anybody who enabled both DNSSEC validation and > aggressive-nsec would probably not have seen a failure due to the > broken NSEC records because qname-minimisation is on by default.
Actually they still can. Just wait until the A response expires while there are still cached NSEC present. This will happen naturally with a big enough client pool. Incorrect negative proofs lead to intermittent “incorrect” responses with aggressive synthesis. Mark -- Mark Andrews, ISC 1 Seymour St., Dundas Valley, NSW 2117, Australia PHONE: +61 2 9871 4742 INTERNET: ma...@isc.org _______________________________________________ DNSOP mailing list DNSOP@ietf.org https://www.ietf.org/mailman/listinfo/dnsop
