Re: [DNSOP] I-D Action: draft-ietf-dnsop-extended-error-04.txt
Brian Dickson <brian.peter.dickson@gmail.com> Thu, 14 February 2019 22:28 UTC
Return-Path: <brian.peter.dickson@gmail.com>
X-Original-To: dnsop@ietfa.amsl.com
Delivered-To: dnsop@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id D95801311F4 for <dnsop@ietfa.amsl.com>; Thu, 14 Feb 2019 14:28:05 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.998
X-Spam-Level:
X-Spam-Status: No, score=-1.998 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FREEMAIL_FROM=0.001, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_NONE=-0.0001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=gmail.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id TMlpbHJLOXBK for <dnsop@ietfa.amsl.com>; Thu, 14 Feb 2019 14:28:03 -0800 (PST)
Received: from mail-qt1-x82a.google.com (mail-qt1-x82a.google.com [IPv6:2607:f8b0:4864:20::82a]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 826091311FC for <dnsop@ietf.org>; Thu, 14 Feb 2019 14:28:03 -0800 (PST)
Received: by mail-qt1-x82a.google.com with SMTP id j36so8789735qta.7 for <dnsop@ietf.org>; Thu, 14 Feb 2019 14:28:03 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=mime-version:references:in-reply-to:from:date:message-id:subject:to :cc; bh=SwrghzBSDqZzkQ2d8swESnPcBgnAuHEuP9I3ZC9rwYM=; b=vGnVVD/r0MTTi4uzhZxncofyBpOqNWp5W8d2nV2joBNVQLu68wMKj2NseFvVGeAKPk 4Isn4YjrUnkzw0e3jHpo8Pidh/9aVOoj9wnJBynDvTf+8hH9T3MudVobqJA3G1MNa6pQ IJf3V/Fb2vzZsIFhqpF1n2OhJI/QPTW4jgRTDOMtilMQ5opV3MQ3HQNAv29TtcaWFh8l x5I8YJIuWqu8qbzu+IN4X/yFy4GuSy/Vi1H0glVXi/PNWkza7CpNoh3wTEveaiWA+xOB EuskA+QiDLGZhavqfOfPkOZoptpfeQEJvx4S9gOmng001UyAhlywFzQNkGJ2tpk0Njfm MJUg==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc; bh=SwrghzBSDqZzkQ2d8swESnPcBgnAuHEuP9I3ZC9rwYM=; b=dnmzhzQHu0CcrYDqKcCTWjaLoOHKix9dC2Y6X/hEpUNLqbWyNKEU9MdZO7zr9IhIMQ HFrK78t/YOAsm/OkrbYow5QJ+FCXDIT+7DRhMMvPvSwB64gsc91I6lTtPdf1IIoF7G8D 9kRQ0irBJzXBbTAPJo/lCx+pLHcYNjGYGKwcaWWTKvvZsEWkc2t3+sxqoEzV8khkvsXO I4Hqi2Oqpmt1RI6Mno08EL1OidwEA0bBL3XKWlPOs+WivFPu7XT9+/iec4G2jkZz4wO+ Jl8KYfR7nZ4FaRgZZu8VFG+JjLEyc/CJ4LDeA7XAsh33tvx1ZwWT9rQRWSZTyC5Go3fK OB0w==
X-Gm-Message-State: AHQUAuZk3FGCGtMbDiSnZgT1W7hlgPR5ve+i9Tsdxj+KPl8Vn6lIdE71 1pWDGeS+8H8pn3HVGRRTCT/Dwijn9/snmvmhkHA=
X-Google-Smtp-Source: AHgI3IYQ2EpriktBEw2E+cJOGz0O37f8CH9d3YLEdpfn1T0gJRBys5BX2AxBzQBPfu4ABe6UXgl4uPVRYKGBdyTEg7c=
X-Received: by 2002:a0c:9dc6:: with SMTP id p6mr5000974qvf.217.1550183282475; Thu, 14 Feb 2019 14:28:02 -0800 (PST)
MIME-Version: 1.0
References: <154689301066.32204.17312124670782800354@ietfa.amsl.com> <20190214195125.nwbazwpk3rgrgxkf@sources.org> <CAHw9_iLeAwU8gskbhyd7OMPYEY68eCDocB9k6ezjUxYj=_WHRg@mail.gmail.com>
In-Reply-To: <CAHw9_iLeAwU8gskbhyd7OMPYEY68eCDocB9k6ezjUxYj=_WHRg@mail.gmail.com>
From: Brian Dickson <brian.peter.dickson@gmail.com>
Date: Thu, 14 Feb 2019 14:27:51 -0800
Message-ID: <CAH1iCirYTO8oDUZ60nRa6dJKKbbfVxLmyDJyh2WJyDZ8q0L46A@mail.gmail.com>
To: Warren Kumari <warren@kumari.net>
Cc: Stephane Bortzmeyer <bortzmeyer@nic.fr>, dnsop <dnsop@ietf.org>
Content-Type: multipart/alternative; boundary="000000000000e388e40581e22b2b"
Archived-At: <https://mailarchive.ietf.org/arch/msg/dnsop/UNctyul4-KEdQ-kGxGzyX0sVUOY>
Subject: Re: [DNSOP] I-D Action: draft-ietf-dnsop-extended-error-04.txt
X-BeenThere: dnsop@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: IETF DNSOP WG mailing list <dnsop.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dnsop>, <mailto:dnsop-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/dnsop/>
List-Post: <mailto:dnsop@ietf.org>
List-Help: <mailto:dnsop-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dnsop>, <mailto:dnsop-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 14 Feb 2019 22:28:06 -0000
On Thu, Feb 14, 2019 at 12:34 PM Warren Kumari <warren@kumari.net> wrote: > > > On Thu, Feb 14, 2019 at 2:53 PM Stephane Bortzmeyer <bortzmeyer@nic.fr> > wrote: > >> On Mon, Jan 07, 2019 at 12:30:10PM -0800, >> internet-drafts@ietf.org <internet-drafts@ietf.org> wrote >> a message of 44 lines which said: >> >> > Title : Extended DNS Errors >> > Authors : Warren Kumari >> > Evan Hunt >> > Roy Arends >> > Wes Hardaker >> > David C Lawrence >> > Filename : draft-ietf-dnsop-extended-error-04.txt >> >> Some remarks but before, note I think that it is very important that >> we have a way to report more detailed error causes. One of the biggest >> problems of DNSSEC is that there is no easy way for the resolver to >> report to the application about a DNSSEC problem. So, the work on this >> draft is essential. >> >> > Thank you, I / we certainly think so. > > > >> Now, the problems: >> >> > > 4.2.5. SERVFAIL Extended DNS Error Code 5 - DNSKEY missing >> > >> > A DS record existed at a parent, but no DNSKEY record could be found >> > for the child. >> >> I suggest to replace "no DNSKEY record could be found for the child" >> by "no DNSKEY record for this specific key could be found for the >> child". >> >> > LGTM. > I disagree; I concur with Michael Sheldon (my colleague). I think the semantics that need to be expressed are: "No matching DS/DNSKEY pairs could be found for the child." It doesn't necessarily require the absence of specific DS records in the parent, or DNSKEY records in the child, or the complete absence of e.g. DNSKEYs. It may or may not make any sense to call out other sources of error leading to this condition, e.g. in the EXTRA-TEXT field. (No DNSKEYs; No valid DNSKEYs; No valid DS records; Valid DS with Expired RRSIG; Valid DNSKEY with Expired RRSIG, etc.) And it definitely should only be SERVFAIL iff no matching, valid DS/DNSKEY pairs (i.e. DNSSEC validated DNSKEY, with matching, understood algorithms and non-expired signatures exist). Brian
- [DNSOP] I-D Action: draft-ietf-dnsop-extended-err… internet-drafts
- Re: [DNSOP] I-D Action: draft-ietf-dnsop-extended… Wes Hardaker
- Re: [DNSOP] I-D Action: draft-ietf-dnsop-extended… Petr Špaček
- Re: [DNSOP] I-D Action: draft-ietf-dnsop-extended… Stephane Bortzmeyer
- Re: [DNSOP] I-D Action: draft-ietf-dnsop-extended… Stephane Bortzmeyer
- Re: [DNSOP] I-D Action: draft-ietf-dnsop-extended… Michael J. Sheldon
- Re: [DNSOP] I-D Action: draft-ietf-dnsop-extended… Warren Kumari
- Re: [DNSOP] I-D Action: draft-ietf-dnsop-extended… Brian Dickson
- Re: [DNSOP] I-D Action: draft-ietf-dnsop-extended… Stephane Bortzmeyer
- Re: [DNSOP] I-D Action: draft-ietf-dnsop-extended… Stephane Bortzmeyer
- Re: [DNSOP] I-D Action: draft-ietf-dnsop-extended… Jim Reid
- Re: [DNSOP] I-D Action: draft-ietf-dnsop-extended… Stephane Bortzmeyer
- Re: [DNSOP] I-D Action: draft-ietf-dnsop-extended… Petr Špaček
- Re: [DNSOP] I-D Action: draft-ietf-dnsop-extended… Dick Franks
- Re: [DNSOP] I-D Action: draft-ietf-dnsop-extended… Wes Hardaker
- Re: [DNSOP] I-D Action: draft-ietf-dnsop-extended… Wes Hardaker
- Re: [DNSOP] I-D Action: draft-ietf-dnsop-extended… Wes Hardaker