Value of a DNSSEC validating resolver
Petr Menšík
pemensik at redhat.com
Fri Feb 9 12:06:53 UTC 2024
On 2/9/24 12:39, Mark Andrews wrote:
> Do the analysis where the resolver is under attack or the auth server with the best rtt is stale.
>
I admit here we most often work with internal only forwarders, which are
not accessible from outer internet. So those won't be under attack, at
least directed from uncontrolled outside. For internal organization
resolver it is somehow easier to find source of attack and make them
stopped. Something not possible on public internet. And of course, if
auth server becomes unreachable, it is up to resolver to try alternative
servers known. If they do not respond as well, then yes, stale cache is
the only thing protecting us from serving SERVFAILs.
But I am not sure how that contradicts what I have written before. Can
you elaborate a bit more, please?
--
Petr Menšík
Software Engineer, RHEL
Red Hat,https://www.redhat.com/
PGP: DFCF908DB7C87E8E529925BC4931CA5B6C9FC5CB
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.isc.org/pipermail/bind-users/attachments/20240209/b18abfb7/attachment.htm>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: OpenPGP_0x4931CA5B6C9FC5CB.asc
Type: application/pgp-keys
Size: 9736 bytes
Desc: OpenPGP public key
URL: <https://lists.isc.org/pipermail/bind-users/attachments/20240209/b18abfb7/attachment.key>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: OpenPGP_signature.asc
Type: application/pgp-signature
Size: 495 bytes
Desc: OpenPGP digital signature
URL: <https://lists.isc.org/pipermail/bind-users/attachments/20240209/b18abfb7/attachment.sig>
More information about the bind-users
mailing list