You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
It looks like Recursor accepts the new root NSset from those bad responses. While this makes sense in terms of our whole implementation, and various words from RFC2181, I don't think it makes sense to accept 'authority updates' for the root NSset. Such updates would always fall into any of these 3 classes:
it's the root NSset we saw on the last prime
it's a new root NSset we will see on the next prime
it's garbage
Secondary to that, i wonder if we could/should be doing any DNSSEC validation on authority updates (in general, outside the root), and on our root priming.
The text was updated successfully, but these errors were encountered:
Background:
It looks like Recursor accepts the new root NSset from those bad responses. While this makes sense in terms of our whole implementation, and various words from RFC2181, I don't think it makes sense to accept 'authority updates' for the root NSset. Such updates would always fall into any of these 3 classes:
Secondary to that, i wonder if we could/should be doing any DNSSEC validation on authority updates (in general, outside the root), and on our root priming.
The text was updated successfully, but these errors were encountered: