Re: [DNSOP] I-D Action: draft-ietf-dnsop-extended-error-12.txt
Tony Finch <dot@dotat.at> Thu, 03 October 2019 11:11 UTC
Return-Path: <dot@dotat.at>
X-Original-To: dnsop@ietfa.amsl.com
Delivered-To: dnsop@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id CD6A912003F for <dnsop@ietfa.amsl.com>; Thu, 3 Oct 2019 04:11:18 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -4.199
X-Spam-Level:
X-Spam-Status: No, score=-4.199 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RCVD_IN_DNSWL_MED=-2.3, SPF_NONE=0.001] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id MwsHKteFYxef for <dnsop@ietfa.amsl.com>; Thu, 3 Oct 2019 04:11:17 -0700 (PDT)
Received: from ppsw-42.csi.cam.ac.uk (ppsw-42.csi.cam.ac.uk [131.111.8.142]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id ECC52120026 for <dnsop@ietf.org>; Thu, 3 Oct 2019 04:11:16 -0700 (PDT)
X-Cam-AntiVirus: no malware found
X-Cam-ScannerInfo: http://help.uis.cam.ac.uk/email-scanner-virus
Received: from grey.csi.cam.ac.uk ([131.111.57.57]:41130) by ppsw-42.csi.cam.ac.uk (ppsw.cam.ac.uk [131.111.8.138]:25) with esmtps (TLSv1.2:ECDHE-RSA-AES256-GCM-SHA384:256) id 1iFz0t-001cZs-7H (Exim 4.92.3) for dnsop@ietf.org (return-path <dot@dotat.at>); Thu, 03 Oct 2019 12:11:15 +0100
Date: Thu, 03 Oct 2019 12:11:14 +0100
From: Tony Finch <dot@dotat.at>
To: dnsop@ietf.org
In-Reply-To: <B640CD6C-863D-44E7-A085-BE44D2D3BCCC@dukhovni.org>
Message-ID: <alpine.DEB.2.20.1910031202210.11804@grey.csi.cam.ac.uk>
References: <156997343802.26389.15326556193059712475@ietfa.amsl.com> <alpine.DEB.2.20.1910021250120.11804@grey.csi.cam.ac.uk> <B640CD6C-863D-44E7-A085-BE44D2D3BCCC@dukhovni.org>
User-Agent: Alpine 2.20 (DEB 67 2015-01-07)
MIME-Version: 1.0
Content-Type: text/plain; charset="US-ASCII"
Archived-At: <https://mailarchive.ietf.org/arch/msg/dnsop/R9tzrDuiJAohLVbUA2C7OYd8NPg>
Subject: Re: [DNSOP] I-D Action: draft-ietf-dnsop-extended-error-12.txt
X-BeenThere: dnsop@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: IETF DNSOP WG mailing list <dnsop.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dnsop>, <mailto:dnsop-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/dnsop/>
List-Post: <mailto:dnsop@ietf.org>
List-Help: <mailto:dnsop-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dnsop>, <mailto:dnsop-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 03 Oct 2019 11:11:19 -0000
Viktor Dukhovni <ietf-dane@dukhovni.org> wrote: > > On Oct 2, 2019, at 8:01 AM, Tony Finch <dot@dotat.at> wrote: > > > > Is this not also covered by EDE 9 (DNSKEY missing) and EDE 10 (RRSIG > > missing)? > > No it is not. The indeterminate state happens when DS RRset lookups > servfail, for the zone or one of its ancestors, this could be a lookup > timeout or a validation issue. So not identical with DNSKEY missing. So EDE 22 or 23 then? You can't handwave "validation issue" here because the point of these error codes is to explain what kind of validation issue. > > [ I'm still not convinced "indeterminate" is a coherent validation state... ] > > It happens when glue NS records are available, but DS RRsets are not. That is "insecure". I think the definitions of the terms in RFC 4033 are a lot more clear than RFC 4035. By the 4033 definitions the distinction between insecure and indeterminate is whether you have a covering trust anchor or not, so nothing is indeterminate any more for normal validator configurations. Tony. -- f.anthony.n.finch <dot@dotat.at> http://dotat.at/ Dover, Wight: South 4 or 5, veering west 5 to 7, perhaps gale 8 later. Slight or moderate, becoming moderate or rough, occasionally very rough later in Wight. Fair then rain. Good, occasionally poor.
- [DNSOP] I-D Action: draft-ietf-dnsop-extended-err… internet-drafts
- Re: [DNSOP] I-D Action: draft-ietf-dnsop-extended… Wes Hardaker
- Re: [DNSOP] I-D Action: draft-ietf-dnsop-extended… Tony Finch
- Re: [DNSOP] I-D Action: draft-ietf-dnsop-extended… Viktor Dukhovni
- Re: [DNSOP] I-D Action: draft-ietf-dnsop-extended… Wes Hardaker
- Re: [DNSOP] I-D Action: draft-ietf-dnsop-extended… Tony Finch
- Re: [DNSOP] I-D Action: draft-ietf-dnsop-extended… Tony Finch
- Re: [DNSOP] I-D Action: draft-ietf-dnsop-extended… Viktor Dukhovni
- Re: [DNSOP] I-D Action: draft-ietf-dnsop-extended… Tim Wattenberg