return address for failed DNSSEC validation
Mark Andrews
marka at isc.org
Thu Mar 11 21:38:14 UTC 2010
In message <4B98FD2D.5080704 at restena.lu>, Gilles Massen writes:
> Mark Andrews wrote:
>
> >> Obviously there are parallels to NXDOMAIN rewriting. However, the major
> >> difference I see is that NXDOMAIN is a clear message, known by the OSs
> >> and applications, that has basically one meaning. SERVFAIL is more like
> >> 'didn't work. go figure.' And the good thing is that 'validation error
> >> rewriting' could be abandoned again if DNSSEC arrives at the
> >> OS/applications.
> >
> > 99.9% of the time SERVFAIL means "the owner of the zone stuffed up,
> > go figure". Doing DNSSEC wrong is just another way the owner of
> > the zone can stuff up. It doesn't need special handling.
>
> From a purely technical point of view, I agree. However there is a
> significant difference: until now SERVFAIL means "I wasn't able to
> wrestle an information out of the DNS despite it's extraordinary
> resilience to stupid configurations". In case of a validation error it
> is rather "I don't want to show you. Not even that there was answer and
> that my warnings could be ignored".
No. It's I've tried real hard to get you a answer which is not a
forgery but I can't.
> The DNS protocol is not equipped to signal that. But a resolver could
> give help - with shortcomings, but still something.
>
> Best,
> Gilles
>
> --
> Fondation RESTENA - DNS-LU
> 6, rue Coudenhove-Kalergi
> L-1359 Luxembourg
> tel: (+352) 424409
> fax: (+352) 422473
--
Mark Andrews, ISC
1 Seymour St., Dundas Valley, NSW 2117, Australia
PHONE: +61 2 9871 4742 INTERNET: marka at isc.org
More information about the bind-users
mailing list