@techreport{zhang-dnsop-dnssec-unvalidated-data-00,
    number =    {draft-zhang-dnsop-dnssec-unvalidated-data-00},
    type =      {Internet-Draft},
    institution =   {Internet Engineering Task Force},
    publisher = {Internet Engineering Task Force},
    note =      {Work in Progress},
    url =       {https://datatracker.ietf.org/doc/draft-zhang-dnsop-dnssec-unvalidated-data/00/},
    author =    {Shuhan Zhang and Shuai Wang and Li Chen and Dan Li and Baojun Liu},
    title =     {{Handling Unvalidated Data during DNSSEC Troubleshooting}},
    pagetotal = 12,
    year =      2025,
    month =     apr,
    day =       7,
    abstract =  {Due to the prevalence of DNSSEC (Domain Name System Security Extensions) misconfigurations, many domain administrators troubleshoot the records of DNSSEC-signed domains via queries with CD (Checking Disabled) bit set. However, as DNS resolvers are not forced to perform DNSSEC validation for CD=1 queries, the unvalidated data introduced during troubleshooting could be mixed up with the routine ones in the resolver cache. Recent research has revealed that the reuse of the cached unvalidated data in subsequent resolutions could lead to the risk of Denial-of-Service (DoS). This document clarifies the definition of unvalidated data in the context of DNSSEC. Then, it demonstrates the DoS vulnerabilities of current DNS resolver implementations due to the reuse of cached unvalidated data. Accordingly, it provides several recommendations for DNSSEC- validating resolvers to handle the unvalidated data and mitigate the risk of DoS, so as to improve the availability of DNSSEC-signed domains.},
}