In message <4b98fd2d.5080...@restena.lu>, Gilles Massen writes: > Mark Andrews wrote: > > >> Obviously there are parallels to NXDOMAIN rewriting. However, the major > >> difference I see is that NXDOMAIN is a clear message, known by the OSs > >> and applications, that has basically one meaning. SERVFAIL is more like > >> 'didn't work. go figure.' And the good thing is that 'validation error > >> rewriting' could be abandoned again if DNSSEC arrives at the > >> OS/applications. > > > > 99.9% of the time SERVFAIL means "the owner of the zone stuffed up, > > go figure". Doing DNSSEC wrong is just another way the owner of > > the zone can stuff up. It doesn't need special handling. > > From a purely technical point of view, I agree. However there is a > significant difference: until now SERVFAIL means "I wasn't able to > wrestle an information out of the DNS despite it's extraordinary > resilience to stupid configurations". In case of a validation error it > is rather "I don't want to show you. Not even that there was answer and > that my warnings could be ignored".
No. It's I've tried real hard to get you a answer which is not a forgery but I can't. > The DNS protocol is not equipped to signal that. But a resolver could > give help - with shortcomings, but still something. > > Best, > Gilles > > -- > Fondation RESTENA - DNS-LU > 6, rue Coudenhove-Kalergi > L-1359 Luxembourg > tel: (+352) 424409 > fax: (+352) 422473 -- Mark Andrews, ISC 1 Seymour St., Dundas Valley, NSW 2117, Australia PHONE: +61 2 9871 4742 INTERNET: ma...@isc.org _______________________________________________ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users