On Thu, Feb 14, 2019 at 12:34 PM Warren Kumari <[email protected]> wrote:
> > > On Thu, Feb 14, 2019 at 2:53 PM Stephane Bortzmeyer <[email protected]> > wrote: > >> On Mon, Jan 07, 2019 at 12:30:10PM -0800, >> [email protected] <[email protected]> wrote >> a message of 44 lines which said: >> >> > Title : Extended DNS Errors >> > Authors : Warren Kumari >> > Evan Hunt >> > Roy Arends >> > Wes Hardaker >> > David C Lawrence >> > Filename : draft-ietf-dnsop-extended-error-04.txt >> >> Some remarks but before, note I think that it is very important that >> we have a way to report more detailed error causes. One of the biggest >> problems of DNSSEC is that there is no easy way for the resolver to >> report to the application about a DNSSEC problem. So, the work on this >> draft is essential. >> >> > Thank you, I / we certainly think so. > > > >> Now, the problems: >> >> > > 4.2.5. SERVFAIL Extended DNS Error Code 5 - DNSKEY missing >> > >> > A DS record existed at a parent, but no DNSKEY record could be found >> > for the child. >> >> I suggest to replace "no DNSKEY record could be found for the child" >> by "no DNSKEY record for this specific key could be found for the >> child". >> >> > LGTM. > I disagree; I concur with Michael Sheldon (my colleague). I think the semantics that need to be expressed are: "No matching DS/DNSKEY pairs could be found for the child." It doesn't necessarily require the absence of specific DS records in the parent, or DNSKEY records in the child, or the complete absence of e.g. DNSKEYs. It may or may not make any sense to call out other sources of error leading to this condition, e.g. in the EXTRA-TEXT field. (No DNSKEYs; No valid DNSKEYs; No valid DS records; Valid DS with Expired RRSIG; Valid DNSKEY with Expired RRSIG, etc.) And it definitely should only be SERVFAIL iff no matching, valid DS/DNSKEY pairs (i.e. DNSSEC validated DNSKEY, with matching, understood algorithms and non-expired signatures exist). Brian
_______________________________________________ DNSOP mailing list [email protected] https://www.ietf.org/mailman/listinfo/dnsop
