Thanks for your feedback about the extended errors draft. Below are
responses to some of your previously raised points in email to dnsop:
8.4 Ralph Dolmans
~~~~~~~~~~~~~~~~~
I made an Extended DNS Errors implementation in Unbound during the
IETF104 hackathon. Implementing the code that handles the errors was
rather straightforward, the difficult part is (as Stéphane already
pointed out) finding the right locations in the code for the
individual errors. Some remarks regarding the draft:
8.4.1 NOCHANGE Since it is possible to have multiple extended error options, is
it
----------------------------------------------------------------------------------
expected to return all errors that match the result, or only the most
specific one? For example: if a DNSSEC signatures is expired should
both the "DNSSEC bogus" (SERVFAIL/Extended error 1) and the "Signature
expired" (SERVFAIL/Extended error 2) be returned?
+ Response: I'd return what seems to be the most appropriate set,
given the situation. I think both of the above seem to apply so the
question is, would it be confusing to ever return "too much". I'm
not sure we want to over-specify and implementations should be free
to pick what debugging/info-codes they think is best to return.
IMHO, personally, I think sig expired is sufficient because it
implies the BOGUS code already.
8.4.2 DONE I am not sure whether linking the info code to the rcode is a good
idea.
-----------------------------------------------------------------------------------
Some info codes can happen for different rcodes. It is in Unbound for
example possible to block a domain by sending a REFUSED rcode, while
the document list blocking only for the NXDOMAIN rcode. If the
rcode/info-code coupling will remain then I would like to have the
same info code for a specific error under different rcodes, for
example always use info-code 1 for blocking.
+ Response: Per discussion at IETF105, the linking is now dropped.
8.4.3 NOCHANGE Since EDNS is hop-by-hop, only error information from the
resolver you
-------------------------------------------------------------------------------------
are talking to is returned. There are cases when the interesting
information is not in the first resolver. For example: if a resolver
forwards queries to another one and the last one does DNSSEC
validation then the resolver you are talking to does not generate the
interesting information. Is it maybe an idea to add some text stating
that extended error-aware resolvers should forward the received EDNS
option?
+ We sort of discussed this at one point in various venues (both
physical and electronic). I think the resolution was "lets leave
that for an update once we get more experience". I think picking
when to forward and when it's meant "just for you" becomes complex
and harder to specify.
8.4.4 DONE I think having the extra information provided by this document is
useful
-----------------------------------------------------------------------------------
for debugging, and only for that. This extra information should not be
used to make any DNS resolving decision, which makes the retry flag a
bad idea. At the moment I don't have to trust all my secondaries as
long as my zone is DNSSEC signed. The worst thing they can do is not
return my data or tamper with it, in which case the validating
resolver will ignore it and try another nameserver. Giving a
nameserver the power to instruct a resolver to not try at another
nameserver gives them the power to make my zone unavailable. This
completely changes the current trust model. Please remove the retry
flag from the document.
+ The R bit has been removed in the latest flag, due to your and other
people's requests :-)
--
Wes Hardaker
USC/ISI
_______________________________________________
DNSOP mailing list
[email protected]
https://www.ietf.org/mailman/listinfo/dnsop
