Re: [DNSOP] I-D Action: draft-ietf-dnsop-extended-error-12.txt
Wes Hardaker <wjhns1@hardakers.net> Wed, 02 October 2019 21:37 UTC
Return-Path: <wjhns1@hardakers.net>
X-Original-To: dnsop@ietfa.amsl.com
Delivered-To: dnsop@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id E4F95120043 for <dnsop@ietfa.amsl.com>; Wed, 2 Oct 2019 14:37:51 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.9
X-Spam-Level:
X-Spam-Status: No, score=-1.9 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, SPF_HELO_NONE=0.001, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id t6rVOotU0GJS for <dnsop@ietfa.amsl.com>; Wed, 2 Oct 2019 14:37:50 -0700 (PDT)
Received: from mail.hardakers.net (mail.hardakers.net [168.150.192.181]) (using TLSv1.2 with cipher ADH-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id AC14E12002F for <dnsop@ietf.org>; Wed, 2 Oct 2019 14:37:49 -0700 (PDT)
Received: from localhost (unknown [10.0.0.3]) by mail.hardakers.net (Postfix) with ESMTPA id 57EBC2A03B; Wed, 2 Oct 2019 14:37:49 -0700 (PDT)
From: Wes Hardaker <wjhns1@hardakers.net>
To: Tony Finch <dot@dotat.at>
Cc: dnsop@ietf.org, ietf@hardakers.net
References: <156997343802.26389.15326556193059712475@ietfa.amsl.com> <alpine.DEB.2.20.1910021250120.11804@grey.csi.cam.ac.uk>
Date: Wed, 02 Oct 2019 14:37:49 -0700
In-Reply-To: <alpine.DEB.2.20.1910021250120.11804@grey.csi.cam.ac.uk> (Tony Finch's message of "Wed, 2 Oct 2019 13:01:31 +0100")
Message-ID: <ybl5zl66d76.fsf@w7.hardakers.net>
User-Agent: Gnus/5.13 (Gnus v5.13) Emacs/26.1 (gnu/linux)
MIME-Version: 1.0
Content-Type: text/plain
Archived-At: <https://mailarchive.ietf.org/arch/msg/dnsop/TcdmexVOvcb4HPqDLblHSC5MdIo>
Subject: Re: [DNSOP] I-D Action: draft-ietf-dnsop-extended-error-12.txt
X-BeenThere: dnsop@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: IETF DNSOP WG mailing list <dnsop.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dnsop>, <mailto:dnsop-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/dnsop/>
List-Post: <mailto:dnsop@ietf.org>
List-Help: <mailto:dnsop-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dnsop>, <mailto:dnsop-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 02 Oct 2019 21:37:52 -0000
Tony Finch <dot@dotat.at> writes: > I have had another read through. Thanks for the extra pass. (we still have IETF-wide last call to wade through too, FYI) > In the intro, one of the example uses for EDE is a server returning errors > because it has not finished starting up, but there is no EDE code for this > case. It's this one: 3.15. Extended DNS Error Code 14 - Not Ready The server is unable to answer the query as it is not fully functional (yet). > Re. EDE 0 "other", is it supposed to cover the situation when there are > multiple errors, e.g. different authoritative servers have different > problems? One, the latest version talks about servers MAY put in more than one EDE. But 0/other was "not in the list", IE there is not currently defined code that would help me but I want to include an error message that better describes it in the text section. > Re. EDE 5 indeterminate, RFC 4035 says: > > Indeterminate: An RRset for which the resolver is not able to > determine whether the RRset should be signed, as the resolver is > not able to obtain the necessary DNSSEC RRs. This can occur when > the security-aware resolver is not able to contact security-aware > name servers for the relevant zones. > > Is this not also covered by EDE 9 (DNSKEY missing) and EDE 10 (RRSIG > missing)? > > [ I'm still not convinced "indeterminate" is a coherent validation state... ] I think you're irght that 9/10 are specific cases of indeterminate. There might be implementation specific reasons too, though, so 5 is a fallback if you don't have anything more specific (and 0 is a fallback from that :-) ). Anyway, I've always hated the indeterminate marking because I agree it's incomplete and conflicts in definition between the two rfcs. I've devoted multiple slides in presentations to that issue. > Re. EDE 11 no DNSKEY zone bit, why is there a special case for this and > not for DNSKEY protocol not equal to 3? Are either of these errors that > anyone has seen in the wild? (If so I would love to know how that came to > pass!) It was suggested to be added, so I did. It does make some sense... but no, I've never seen it in the wild either. -- Wes Hardaker USC/ISI
- [DNSOP] I-D Action: draft-ietf-dnsop-extended-err… internet-drafts
- Re: [DNSOP] I-D Action: draft-ietf-dnsop-extended… Wes Hardaker
- Re: [DNSOP] I-D Action: draft-ietf-dnsop-extended… Tony Finch
- Re: [DNSOP] I-D Action: draft-ietf-dnsop-extended… Viktor Dukhovni
- Re: [DNSOP] I-D Action: draft-ietf-dnsop-extended… Wes Hardaker
- Re: [DNSOP] I-D Action: draft-ietf-dnsop-extended… Tony Finch
- Re: [DNSOP] I-D Action: draft-ietf-dnsop-extended… Tony Finch
- Re: [DNSOP] I-D Action: draft-ietf-dnsop-extended… Viktor Dukhovni
- Re: [DNSOP] I-D Action: draft-ietf-dnsop-extended… Tim Wattenberg