Skip result of TLSA lookups for bad nameservers #13
Labels
enhancement
New feature or request
Comments
buffrr
changed the title
buffrr
added a commit
that referenced
this issue
May 8, 2021
* Pass ctx to resolver functions * Allow specifying network ip, ip4 or ip6 similar to Go's built-in resolver * Return security status of ip lookups (needed for issue #13) * Use a common implemenation for lookup ip/tlsa in recursive and stub resolvers * Use more suitable names * Add more tests
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Some nameservers timeout or return SERVFAIL for any record type they don't understand
An example of such a server found in the wild (at the time of writing)
This nameserver doesn't even understand DNSSEC, but a recursive DNSSEC resolver will return SERVFAIL in this case which is not an acceptable answer for DANE and the website breaks.
A DANE client should not expect that all nameservers will answer reliably for the TLSA record type.
To avoid breaking services that use such nameservers, we should:
Credits to @vdukhovni for telling me about this idea
The text was updated successfully, but these errors were encountered: