Re: return address for failed DNSSEC validation

[Kevin Darcy]

On 3/11/2010 2:54 AM, Gilles Massen wrote:
Mark, Mat,
Mat wrote:
   
End users will get confused by this, but then there are plenty of
other possibilities with and without DNS they may get confused about.
I think providing help to them should be dealt with by the OS instead
of bloating DNS. Upon return of any error by DNS (or any other
subsystem) it can show them a useful, platform-dependent message how
to fix it.
     
Mark Andrews wrote:
   
        Additionally you can detect a DNSSEC failure by asking
        queries with and without the CD bit set.

        Most DNSSEC failures can be diagnosed with dig, knowing the
        current time and date and access to named.conf for the trust
        anchors.  There are actually easier to diagnose than most
        other DNS failure issues.
     

I agree with both of you, but you are missing the point. The problem
space is users that don't know about DNS, and that don't have a local
validating resolver. So there is no point of even considering dig.

As soon as applications (or local stub resolvers) are validating, that
would be the place to generate a "user compatible" error. But in the
best case this will take years. In the mean term we are stuck with dummy
users, and ISPs that might want to enable validation, but might also be
kept off by the cost that unexplainable (or rather unexplained) failures
will produce (Helpdesk). Being able to return 'something' in case of
validation failures (and only them, not any SERVFAIL!) looks as it were
in the interest of the adoption of DNSSEC.

Obviously there are parallels to NXDOMAIN rewriting. However, the major
difference I see is that NXDOMAIN is a clear message, known by the OSs
and applications, that has basically one meaning. SERVFAIL is more like
'didn't work. go figure.' And the good thing is that 'validation error
rewriting' could be abandoned again if DNSSEC arrives at the
OS/applications.

   
The fundamental requirement is that the requestor needs to know that 
their query FAILED. When you send back a "helpful", answerful response 
for a failure, either under NXDOMAIN redirection or your proposal, then 
you essentially deceive the client and confuse any troubleshooting efforts.

SERVFAIL may not be as specific as we'd like for this particular failure 
mode, but it takes many years to define and get a new RCODE implemented, 
and DNSSEC can't wait for that.

                                                                        
                                                - Kevin


_______________________________________________
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users