Skip result of TLSA lookups for bad nameservers #13
Description
Some nameservers timeout or return SERVFAIL for any record type they don't understand
An example of such a server found in the wild (at the time of writing)
dig @dns1.tribpub.com _443._tcp.www.chicagotribune.com tlsa
This nameserver doesn't even understand DNSSEC, but a recursive DNSSEC resolver will return SERVFAIL in this case which is not an acceptable answer for DANE and the website breaks.
A DANE client should not expect that all nameservers will answer reliably for the TLSA record type.
To avoid breaking services that use such nameservers, we should:
- Determine if either A or AAAA records of the host are in a DNSSEC-signed zone
- If the zone is unsigned, it's safe to skip result of the TLSA lookup without risking a downgrade attack.
Credits to @vdukhovni for telling me about this idea