Mark Andrews wrote: >> Obviously there are parallels to NXDOMAIN rewriting. However, the major >> difference I see is that NXDOMAIN is a clear message, known by the OSs >> and applications, that has basically one meaning. SERVFAIL is more like >> 'didn't work. go figure.' And the good thing is that 'validation error >> rewriting' could be abandoned again if DNSSEC arrives at the >> OS/applications. > > 99.9% of the time SERVFAIL means "the owner of the zone stuffed up, > go figure". Doing DNSSEC wrong is just another way the owner of > the zone can stuff up. It doesn't need special handling.
>From a purely technical point of view, I agree. However there is a significant difference: until now SERVFAIL means "I wasn't able to wrestle an information out of the DNS despite it's extraordinary resilience to stupid configurations". In case of a validation error it is rather "I don't want to show you. Not even that there was answer and that my warnings could be ignored". The DNS protocol is not equipped to signal that. But a resolver could give help - with shortcomings, but still something. Best, Gilles -- Fondation RESTENA - DNS-LU 6, rue Coudenhove-Kalergi L-1359 Luxembourg tel: (+352) 424409 fax: (+352) 422473 _______________________________________________ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users