Viktor Dukhovni <[email protected]> wrote: > > On Oct 2, 2019, at 8:01 AM, Tony Finch <[email protected]> wrote: > > > > Is this not also covered by EDE 9 (DNSKEY missing) and EDE 10 (RRSIG > > missing)? > > No it is not. The indeterminate state happens when DS RRset lookups > servfail, for the zone or one of its ancestors, this could be a lookup > timeout or a validation issue. So not identical with DNSKEY missing.
So EDE 22 or 23 then? You can't handwave "validation issue" here because the point of these error codes is to explain what kind of validation issue. > > [ I'm still not convinced "indeterminate" is a coherent validation state... > > ] > > It happens when glue NS records are available, but DS RRsets are not. That is "insecure". I think the definitions of the terms in RFC 4033 are a lot more clear than RFC 4035. By the 4033 definitions the distinction between insecure and indeterminate is whether you have a covering trust anchor or not, so nothing is indeterminate any more for normal validator configurations. Tony. -- f.anthony.n.finch <[email protected]> http://dotat.at/ Dover, Wight: South 4 or 5, veering west 5 to 7, perhaps gale 8 later. Slight or moderate, becoming moderate or rough, occasionally very rough later in Wight. Fair then rain. Good, occasionally poor. _______________________________________________ DNSOP mailing list [email protected] https://www.ietf.org/mailman/listinfo/dnsop
