I asked on the Unbound mailing list if there were any ways to differentiate between DNSSEC-related SERVFAILs and other types of SERVFAILs, and was referred to the extended error draft: https://tools.ietf.org/html/draft-wkumari-dnsop-extended-error-02.
I can't speak to the implementation detail, but I can confirm that this would be a very useful thing for ACME servers (and probably CAs in general). In particular, ACME defines a number of error types, one of which is "dnssec" (DNSSEC validation failed). Right now Boulder, Let's Encrypt's ACME server, never returns that because it's hard to distinguish error types. We get a lot of support requests from people who get SERVFAILs and don't know why. If we could provide a more detailed error message to start with, the people attempting to issue certificates and getting errors would be able to help themselves more easily. I'm also somewhat in support of the extended textual error message concept. ACME provides textual error messages in addition to error types, and it's been very useful and informative. _______________________________________________ DNSOP mailing list [email protected] https://www.ietf.org/mailman/listinfo/dnsop
