On Wed, May 27, 2026 at 09:04:21AM -0400, Paul Wouters wrote: > > > > On May 27, 2026, at 03:09, Lars Eggert <[email protected]> wrote: > > > > Hi, > > > >> On May 26, 2026, at 20:00, Mukund Sivaraman <[email protected]> wrote: > >> It is a textual message for users to consume and for clients to display > >> to users. Web browsers may have strict policies on what they display in > >> some contexts, but that doesn't mean that DNS should not distribute this > >> textual information. > > > > IMO there is zero chance browsers will show this text to users in *any* > > context. What other clients do you envision to be different? > > And it’s not because they are just stubborn. Any free flow text that an > attacker can populate will be abused by attackers for malicious messages. > > I already have to support some non-technical people inundated with “your > phone is infected, click here” messages. Free form fields are dangerous. > > If this is not an “enduser” free form field, but a debugging thing, language > tags seem overkill and are rarely used by implementations to customize the > error message for specific languages > > That llms say to use nslookup, a tool that has been obsoleted longer than the > age of half the people on this list is perhaps an indication that these are > not strong arguments to use for implementation decisions at the protocol > level.
nslookup was deprecated in the BIND tree for a period of time for having
a history of inconsistent behavior and a confusing interface. nslookup
was undeprecated in the BIND tree around the 9.3 timeframe - see change
1700 in the bind9 CHANGES file, but I don't have the exact version tag
handy. It is available in the Debian bind9-utils package, the Fedora
bind-utils package, etc. and its manpage does not have any notices about
obsoletion or deprecation. (I'm not recommending that nslookup be used
over dig.)
I guess the reason the LLMs include nslookup in their troubleshooting
advice is that, unlike dig, it is available from the OS vendor on the
common OS platforms (Windows, Mac OS, Linux).
I agree with you that the fact that LLMs suggest that a non-savvy user
troubleshoot on their own is not any reason to consider if EXTRA-TEXT
ought to be included in DNS responses. But I've made my points in my
previous email on how it is useful.
Mukund
signature.asc
Description: PGP signature
_______________________________________________ DNSOP mailing list -- [email protected] To unsubscribe send an email to [email protected]
