On Thu, 16 Oct 2025, Paul Hoffman wrote:
Personally I think one code for all limits would be enough. It would be a
signal for whoever is debugging - system operates normally, but either you or
the auth side are doing something weird, and they should inspect logs. I have
no intention of disclosing specific numeric values in the EDE response.
WDYT?
Yes, please! No need to have a different code for each limit, because some resolvers
might limit only if $a>12 and $b<5, for example. That's what the extra text is
for.
A general error message seems good.
Giving out the exact limits does allow an attacker to tune the most
expensive attack against such a resolver. I am not sure if that is
wise.
How would this work on a forwarder? Would it copy the EDE from its
forwarder to its client? Would a validating forwarder handle this
differently from a non-validating forwarder?
Paul W
_______________________________________________
DNSOP mailing list -- [email protected]
To unsubscribe send an email to [email protected]
