[GH-ISSUE #2294] make validating `Recursor` cache intermediate DNSSEC validations #958

New issue

Closed

opened 2026-03-16 01:05:19 +03:00 by kerem · 4 comments

kerem commented

2026-03-16 01:05:19 +03:00

Owner

Originally created by @japaric on GitHub (Jul 8, 2024).
Original GitHub issue: https://github.com/hickory-dns/hickory-dns/issues/2294

as it was noted in the description of PR #2289 , the Recursor does not cache the results of each step of the chain of trust validation process. if it did, the Recursor could avoid performing signature validations (crypto operations) on subsequent queries about sibling and parent domains.

This behavior can be observed in the explore example

First query: SOA nameservers.com.

each line of the form "validated ({name}, {record_type}) with " in the logs indicates a RRSIG validation (crypto) operation

validated (com., DS) with (..)
validated (nameservers.com., DS) with (..)
validated (nameservers.com., SOA) with (..)

Second query: DS nameservers.com.

validated (com., DS) with (..)
validated (nameservers.com., DS) with (..)

There it can be seen that two RRSIG validation operations, that colud have been avoided, where repeated in the second query

Originally created by @japaric on GitHub (Jul 8, 2024). Original GitHub issue: https://github.com/hickory-dns/hickory-dns/issues/2294 as it was noted in the description of PR #2289 , the `Recursor` does *not* cache the results of each step of the chain of trust validation process. if it did, the `Recursor` could avoid performing signature validations (crypto operations) on subsequent queries about sibling and parent domains. This behavior can be observed in the `explore` example First query: `SOA nameservers.com.` each line of the form "validated ({name}, {record_type}) with " in the logs indicates a RRSIG validation (crypto) operation ``` console validated (com., DS) with (..) validated (nameservers.com., DS) with (..) validated (nameservers.com., SOA) with (..) ``` Second query: `DS nameservers.com.` ``` console validated (com., DS) with (..) validated (nameservers.com., DS) with (..) ``` There it can be seen that two RRSIG validation operations, that colud have been avoided, where repeated in the second query

kerem

2026-03-16 01:05:19 +03:00

closed this issue
added the
perf

feature:dnsssec
labels

kerem commented

2026-03-16 01:05:36 +03:00

Author

Owner

@japaric commented on GitHub (Jul 8, 2024):

actually, it seems that the whole chain of trust validation happens (+) even happens even when the exact same query is repeated 🤔

(+) the network operations are not repeated; we have tests for that

@japaric commented on GitHub (Jul 8, 2024): actually, it seems that the whole chain of trust validation happens (+) even happens even when the exact same query is repeated :thinking: (+) the network operations are not repeated; we have tests for that

kerem commented

2026-03-16 01:05:41 +03:00

Author

Owner

@bluejekyll commented on GitHub (Jul 28, 2024):

Was this fixed in #2297?

@bluejekyll commented on GitHub (Jul 28, 2024): Was this fixed in #2297?

kerem commented

2026-03-16 01:05:46 +03:00

Author

Owner

@japaric commented on GitHub (Aug 1, 2024):

@bluejekyll no, #2297 only caches the Proof outcome on the "top-most" answer that will be returned to the client. the goal of this ticket is to extend caching of Proofs to each step of the chain of trust validation.

@japaric commented on GitHub (Aug 1, 2024): @bluejekyll no, #2297 only caches the `Proof` outcome on the "top-most" answer that will be returned to the client. the goal of this ticket is to extend caching of `Proof`s to *each* step of the chain of trust validation.

kerem commented

2026-03-16 01:05:51 +03:00

Author

Owner

@cpu commented on GitHub (Dec 2, 2025):

I believe this is addressed by https://github.com/hickory-dns/hickory-dns/pull/3351, please reopen with details on what's missing if I'm wrong!

@cpu commented on GitHub (Dec 2, 2025): I believe this is addressed by https://github.com/hickory-dns/hickory-dns/pull/3351, please reopen with details on what's missing if I'm wrong!