I guess that I understand your concern, but we don't have any way to
authenticate servers in DNS today and we already send error messages back.
I'm happy with error codes that are informational, but don't change client
behavior. Yes, I realize that users may be tricked, but that's also the case
today, right?
On 29 July 2017 14:53:48 GMT+02:00, Paul Wouters <p...@nohats.ca> wrote:
>
>> This starts a Call for Adoption for
>draft-wkumari-dnsop-extended-error
>
>I have reviewed the draft, and while I think it could be useful, I'm
>seriously worried about sending unauthenticated errors back to the
>user,
>and fear that software will start using these without first validating
>the response using DNSSEC.
>
>I would like to see more discussion on this topic before adopting this
>document with a focus on how we could secure these error codes.
>
>Paul
>
>_______________________________________________
>DNSOP mailing list
>DNSOP@ietf.org
>https://www.ietf.org/mailman/listinfo/dnsop
--
Sent from my Android device with K-9 Mail. Please excuse my brevity.
_______________________________________________
DNSOP mailing list
DNSOP@ietf.org
https://www.ietf.org/mailman/listinfo/dnsop
