On Sat, Apr 26, 2014 at 07:32:50AM +0200, Martin Rex wrote:
> > because, the authoritative nameservers are broken:
> >
> > $ dig +norecur +adflag +noall +comment +ans -t tlsa
> > _25._tcp.nist-gov.mail.protection.outlook.com
> > @ns1-proddns.glbdns.o365filtering.com
> > ;; Got answer:
> > ;; ->>HEADER<<- opcode: QUERY, status: NOTIMP, id: 54501
> > ;; flags: qr; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 0
>
> The authoritative nameservers return a perfectly valid and reasonable
> response, in full conformance with STD13.
[ This particular nit-pick sub-thread is of no practical consequence,
just a bit of pontification by all concerned, including me. Whether
the authoritative nameservers are broken, or every resolver is broken
is immaterial, the TLSA query needs to be suppressed either way. ]
And yet they're broken. The query domain does not in fact exist,
and the right response is NXDOMAIN. Had it existed, since the
servers are authoritative, the right response would be "NODATA"
(no error code and an empty answer section).
> But in case that _all_ authoritative nameserver do return NOTIMP,
> then the recursive resolver is broken, because it is erroneously
> turning a crystal-clear STD13-compliant permanent failure into a
> temporary failure.
We've been through this before:
http://www.ietf.org/mail-archive/web/dane/current/msg06199.html
and containing thread. I only brought it up again to bring Tom
Ritter up to speed.
--
Viktor.
_______________________________________________
dane mailing list
[email protected]
https://www.ietf.org/mailman/listinfo/dane
